Why UAE Gaming Operators Need a Reliable AML Screening Solution in Dubai

The UAE established the General Commercial Gaming Regulatory Authority (GCGRA) in September 2023, transforming from a jurisdiction with a total prohibition on gambling into one of the most closely watched gaming licensing destinations in the world.

Under Federal Decree-Law No. 10 of 2025, gaming operators are now formally classified as Designated Non-Financial Businesses and Professions (DNFBPs). This triggers the full spectrum of UAE anti-money laundering and counter-terrorism financing obligations. Deploying a robust AML screening solution in Dubai is a prerequisite for licensing, not an afterthought.

At First Compliance Solution, we help gaming operators, technology vendors, and key persons build the compliance infrastructure the GCGRA demands. This guide covers everything you need to know.

Part 1: The UAE Gaming Market in Context

From Prohibition to a Federal Licensing Regime

The UAE Penal Code previously prescribed fines of up to AED 20,000 and up to two years’ imprisonment for gambling participants, and up to ten years’ imprisonment for organisers.

The regulatory shift was driven by economics. Research indicated that even a 1.6% gaming contribution to GDP could generate approximately USD 6.6 billion annually, a meaningful diversification of the UAE’s economic base beyond oil and tourism.

On 3 September 2023, WAM (Emirates News Agency) announced the GCGRA’s establishment by federal decree, with a mission to “create a socially responsible and well-regulated gaming environment, ensuring that all participants adhere to strict guidelines and comply with the highest standards.” The GCGRA’s founders framed this not as an abandonment of cultural values, but as a responsible entertainment framework built on player safety, financial crime prevention, and responsible gaming.

Key Milestones

● January 2024: Mahzooz and Emirates Draw paused operations to pursue GCGRA licensing.
● July 2024: The Game LLC received the UAE’s first Lottery License.
● November 2024: The UAE national lottery launched, including the AED 100 million “Lucky Day” jackpot.
● October 2024: Wynn Resorts received the UAE’s first casino license for a USD 3.9–5 billion integrated resort on Al Marjan Island, Ras Al Khaimah, opening early 2027.
● December 2024: The GCGRA issued a Consumer Advisory Notice warning against unlicensed operators.
● April 2025: The GCGRA signed an MOU with New Jersey gaming regulators for cross-border regulatory cooperation.
● Late 2025: Play971 became the UAE’s first licensed online gaming and sports betting platform.
● 1 June 2026: Federal Decree-Law No. 25 of 2025 came into effect, making GCGRA-licensed gaming contracts enforceable in UAE civil courts for the first time.
Morgan Stanley estimates the UAE gaming market could generate USD 3–5 billion in gross gaming revenue annually, making a GCGRA licence one of the most commercially significant regulatory permits available in the industry right now.

Part 2: The GCGRA's Structure and Mandate

The GCGRA is headquartered in Abu Dhabi and holds exclusive federal jurisdiction to regulate, license, and supervise all commercial gaming activities across all seven emirates. It operates with three core mandates: establishing and enforcing regulatory standards, overseeing financial crime prevention, and promoting responsible gaming through evidence-based player protection programmes.

The Four Categories of Regulated Gaming

Internet Gaming: Online casino games, eSports betting, and fantasy sports across all digital platforms. The definition is intentionally broad to accommodate new formats as they emerge.

Land-Based Gaming Facilities: Physical casinos, gaming floors, and slot halls. Wynn Al Marjan Island is the flagship project, with further licences expected.

Sports Wagering: Regulated betting on sporting events under GCGRA technical standards.

Lotteries: The GCGRA intends to maintain one official lottery. Existing games like Big Ticket and Dubai Duty Free may continue under GCGRA supervision, but no new lottery licences will be granted.

Technical Standards

The GCGRA has partnered with Gaming Laboratories International (GLI) to adopt GLI-19 (Interactive Gaming Systems) and GLI-33 (Event Wagering Systems) as its technical benchmarks.

Operating Without a Licence

Engaging in, conducting, or facilitating commercial gaming in the UAE without a GCGRA licence is illegal. Penalties include heavy fines, imprisonment, and business closure.

Part 3: GCGRA Licensing - Types, Eligibility, and Process

Who Must Apply?

Every business and individual involved in any aspect of commercial gaming must obtain the appropriate licence before commencing activities, not just operators.

Licence Types

Entity Licences cover Gaming Operators, Gaming-Related Vendors and Suppliers, and Key Persons at the corporate level.

Individual Licences cover Key Persons (individuals) and Gaming Employees involved in the operation, supervision, or management of a licensed entity.

A single gaming operation may require multiple licence types. A resort operating a casino floor with proprietary software would need both a Gaming Facility Operator licence and a Gaming Technology Supplier licence.

Eligibility Requirements

The GCGRA evaluates all applicants against standards of integrity, financial capacity, and operational competence. Core criteria include a clean regulatory record across all operating jurisdictions, sufficient financial resources, and a detailed business plan incorporating responsible gaming frameworks, an AML compliance programme, and technical infrastructure specifications.

The Six-Step Licensing Process

Step 1: Intake Form. Submit the GCGRA Intake Form with company information, ownership structure, key persons, and intended licence types.

Step 2: Initial Screening and Portal Access. The GCGRA conducts preliminary screening. If in scope, the applicant gains access to the licensing portal.

Step 3: Full Documentation Submission. Submit corporate filings, AML/KYC policies, technical certifications, a responsible gaming programme, and key personnel documentation.

Step 4: Suitability Investigation. The GCGRA conducts background checks, financial verification, and operational capability assessments.

Step 5: Assessment and Approval. No formal deadline is set, but the GCGRA is committed to a smooth process. Applicants should plan for several months.

Step 6: Ongoing Monitoring. Licensing is not a one-time event. Operators face continuous compliance obligations and regular GCGRA engagement.

Documentation Checklist

● Constituent documents and certificate of registration
● Detailed business plan with financial forecasts and organisational charts
● AML/CFT compliance programme documentation
● Responsible gaming programme
● Technical specifications and independent laboratory certifications
● Key personnel backgrounds and declarations
● Proof of financial stability
● Local representative contact details

Part 4: AML/CFT Compliance Under the GCGRA

Gaming Operators Are Now DNFBPs

Cabinet Resolution No. 134 of 2025 formally includes gaming operators in the DNFBP definition under Article 3, Item 1. The AML threshold is a single or linked transaction at or above AED 11,000. At that level, the full UAE AML/CFT compliance framework applies.

Federal Decree-Law No. 10 of 2025 replaced the 2018 AML law, coming into effect on 14 October 2025. Cabinet Resolution No. 134 of 2025 followed on 14 December 2025 as its implementing regulation.

This is a significant structural shift for the gaming industry. Operators that previously had no formal AML obligations now sit within the same regulatory perimeter as financial institutions and real estate brokers. An effective AML screening solution in Dubai is not a compliance add-on for gaming businesses. It is the backbone of a licensable operation.

The Legal Framework at a Glance

● Federal Decree-Law No. 10 of 2025 on Combating Money Laundering, Terrorist Financing, and Proliferation Financing
● Cabinet Resolution No. 134 of 2025 (Executive Regulations)
● FATF Recommendation 22 (Enhanced CDD for casinos)
● The 2025 Commercial Gaming Policy Paper (GCGRA sector-specific guidance)
● Cabinet Decision No. 74 of 2020 (Targeted Financial Sanctions)

Core AML Obligations for Gaming Operators

Customer Due Diligence (CDD): Operators must verify customer identities at onboarding. For online platforms this means Emirates ID verification with Arabic OCR and tamper detection, alongside international documents for expatriate and tourist users, and beneficial ownership identification under Cabinet Decision No. 109 of 2023.
Enhanced Due Diligence (EDD): EDD is mandatory for Politically Exposed Persons (PEPs) and their associates, high-value customers, clients from high-risk jurisdictions, and customers displaying unusual transactional behaviour.
Sanctions Screening: Operators must screen against the UAE Local Terrorist List and the UN Security Council Consolidated List under Cabinet Decision No. 74 of 2020. This must happen in real time, not as a periodic batch process. Any AML screening solution in Dubai deployed for gaming must cover both lists with continuous monitoring.
Suspicious Transaction Reporting (STR): All STRs must be filed with the UAE Financial Intelligence Unit via the goAML platform. The GCGRA supervises reporting culture but does not receive STRs directly.
Five-Year Record Retention: All CDD records, transaction records, and compliance documentation must be retained for a minimum of five years and made available to supervisory authorities on request.
Enterprise-Wide Risk Assessment (EWRA): Operators must continuously assess and document ML/TF/PF risks across customer types, products, geographies, and delivery channels, aligned with the 2024 UAE National Risk Assessment.
Designated MLRO: Every licensed operator must appoint a qualified Money Laundering Reporting Officer. Boards and senior management carry explicit responsibility for AML/CFT oversight.
Staff Training: All relevant staff must receive regular, documented AML/CFT training covering gaming-specific typologies including structuring, chip washing, and layering through gaming platforms.

Part 5: Why a Dedicated AML Screening Solution in Dubai Is Central to Gaming Compliance

Gaming platforms process high transaction volumes, serve high-net-worth and international clientele, handle cash-equivalent instruments, and are attractive to those seeking to launder proceeds through the apparent legitimacy of winnings. Manual screening cannot meet the speed, accuracy, or scale that the GCGRA and Federal Decree-Law No. 10 of 2025 require.

The UAE national lottery operator, The Game LLC, is the clearest market example. The company deployed an AI-powered screening system that screens participants against PEP databases, sanctions lists, and adverse media reports to ensure no high-risk individuals can access lottery services. The system was integrated in under 11 weeks.

This is the standard the GCGRA expects. Any operator that approaches screening as a manual or ad hoc process will not survive regulatory scrutiny. A purpose-built AML screening solution in Dubai is the only practical answer.

What the Screening Solution Must Cover

PEP Screening: Real-time detection of domestic and foreign Politically Exposed Persons and their networks. Both PEP categories require EDD including source of wealth and source of funds verification. PEP status is time-bound and must be monitored continuously.

Sanctions Screening: Coverage across 1,300+ global watchlists and 200+ sanctions lists, including UAE-specific lists, UN consolidated lists, and enforcement databases.

Adverse Media Screening: Negative news monitoring identifies customers connected to financial crime or reputational risk who may not yet appear on formal sanctions lists.

Transaction Monitoring: Continuous monitoring for structuring, unusual deposit and withdrawal patterns, rapid chip conversion, and other gaming-specific money laundering typologies.

goAML Integration: The solution must support timely, high-quality STR submissions to the UAE FIU through the goAML portal.

Name Screening at Onboarding: Automated name screening at the point of customer registration is the first line of defence. Speed and accuracy here directly determine how much manual review burden the compliance team carries downstream.

Part 6: Responsible Gaming Obligations

The GCGRA treats responsible gaming as a core regulatory pillar. Every licensed operator must submit a Responsible Gaming Programme covering the following:
● Self-exclusion mechanisms allowing players to voluntarily exclude
● Deposit and loss limits configurable daily, weekly, and monthly
● Cooling-off periods enforced at the platform level
● Age verification with all marketing restricted to persons aged 18 and over, with no targeting of minors or vulnerable individuals
● Staff training on identifying and assisting problem gamblers
● Dedicated Responsible Gaming Officer responsible for programme oversight and GCGRA liaison

Part 7: Cybersecurity and Technical Compliance

GCGRA compliance extends to platform integrity and data protection. Mandated controls include:
● Platform penetration testing and vulnerability assessments
● Random Number Generator (RNG) certification by a GCGRA-approved laboratory
● Secure encryption for player data and financial transactions
● Payment system integrity controls
● Incident response plans for cybersecurity breaches and data protection incidents
● Player data protection in compliance with UAE data privacy law

Part 8: Enforcement and Penalties

The GCGRA has modelled its enforcement powers on regulators from New Jersey and Las Vegas. Non-compliance carries serious consequences.

Financial Penalties: Fines calibrated to the severity and duration of the breach. Under the broader UAE AML framework, administrative fines can reach AED 5,000,000 per violation.

Licence Suspension or Revocation: Serious or persistent AML failures or unlicensed operation can result in immediate suspension or permanent revocation.

Criminal Liability: Operating without a licence or facilitating unlicensed gaming may constitute a criminal offence. Violations of licensing requirements under Federal Decree-Law No. 10 of 2025 carry fines of not less than AED 200,000 and up to AED 10,000,000, plus potential imprisonment.

Cross-Border Enforcement: The GCGRA’s MOU with New Jersey regulators and its FATF-aligned framework enable active cooperation with international counterpart authorities.

Operators should also note that AML failures specifically trigger the harshest regulatory responses. A gap in your sanctions screening process, a missed PEP match, or a failure to file an STR are not minor administrative infractions in the UAE. They are grounds for licence revocation. This is precisely why selecting and deploying the right AML screening solution in Dubai must happen before you go live, not after your first supervisory review.

Part 9: The June 2026 Civil Code Reform

Federal Decree-Law No. 25 of 2025 (effective 1 June 2026) removed Articles 1012–1019 from the UAE Civil Transactions Law, eliminating the civil-law basis that treated gaming contracts as void. GCGRA-licensed gaming contracts are now enforceable in UAE civil courts for the first time. Unregulated gaming remains illegal.

For operators, this means contractual certainty with vendors, suppliers, and players, and a materially reduced risk profile for institutional investors. It also signals that the UAE is committed to building a permanent, mature gaming jurisdiction rather than a transitional regulatory experiment.

Part 10: Building Your Compliance Programme - A Practical Framework

Governance: Appoint a qualified MLRO with appropriate seniority. Establish Board-level AML/CFT oversight with documented accountability and a compliance committee with regular reporting lines.

Risk Assessment: Conduct an EWRA covering customer, product, geographic, and delivery channel risk. Map it to the UAE National Risk Assessment 2024 and the 2025 Commercial Gaming Policy Paper. Review annually or following material business changes.

Customer Onboarding and KYC: Deploy identity verification for Emirates IDs and international documents. Implement real-time PEP, sanctions, and adverse media screening at onboarding. Build risk-based CDD profiles with clear EDD triggers. The onboarding workflow is where your AML screening solution in Dubai does its most critical work. Get it right from the start.

Transaction Monitoring: Deploy a system with gaming-specific typology rules. Set thresholds aligned with the AED 11,000 DNFBP trigger. Integrate STR workflows directly with goAML.

Policies and Procedures: Document all AML/CFT policies in line with Cabinet Resolution No. 134 of 2025 and the 2025 Commercial Gaming Policy Paper. Review and approve annually at senior management level.

Trainin: Deliver regular, documented training to all relevant staff. Include gaming-specific typologies and case studies. Maintain training records for GCGRA inspection.

Regulatory Reporting: Register on goAML before commencing operations. Establish clear escalation and investigation procedures. Retain all records for a minimum of five years.

Ready to Build Your GCGRA-Compliant AML Programme?

Whether you are planning your GCGRA licence application, building your AML/CFT framework from scratch, or stress-testing an existing programme against Federal Decree-Law No. 10 of 2025 and Cabinet Resolution No. 134 of 2025, First Compliance Solution is your partner.

Contact us today for a confidential consultation. Our specialists will assess your compliance posture, identify gaps against GCGRA and UAE AML requirements, and design a tailored roadmap to full regulatory readiness.

This blog is intended for informational purposes and does not constitute legal advice. First Compliance Solution recommends engaging specialist advisors for all GCGRA licensing and AML compliance matters.

Advanced Due Diligence in the Age of AI: A Strategic Workshop for Compliance Leaders

By First Compliance

Professional Compliance Training in Dubai- Why Choose First Compliance?

First Compliance is a KHDA-approved training provider in Dubai, delivering professional development and certification programmes rooted in real-world compliance experience. As regulatory expectations continue to rise across the region, the quality of training has become a strategic priority for individuals and organisations alike. Our programmes are built and delivered by practitioners who have worked inside the compliance challenges our clients face every day, and our use of automated compliance software as part of that learning experience ensures professionals leave genuinely prepared, not just certificated.

What KHDA Approval Means for You

KHDA approval from the Knowledge and Human Development Authority confirms that First Compliance meets the training governance, delivery quality, and programme standards required for professional training in Dubai. It means our programmes operate within a recognised framework, our certificates carry credibility as evidence of professional completion, and our delivery standards are subject to structured oversight.

For professionals and organisations investing in compliance training in Dubai, that recognition matters. The training you receive from First Compliance is not self-certified. It is practitioner-led, quality-assured, and formally recognised.

It is equally important to be clear about what KHDA approval does not cover. It relates to training delivery, not regulatory licensing. It does not confer professional authorisation, replace regulator-mandated certifications, or constitute a licence for individuals or organisations. KHDA approval applies to the provider and its programmes. The professional value comes from what those programmes actually deliver.

Training Built by Practitioners, for Practitioners

First Compliance’s approved compliance training programmes span the disciplines that matter most to compliance professionals and risk-focused organisations across Dubai and the wider region.

Our AML and Financial Crime Compliance programmes cover Anti-Money Laundering, Counter-Terrorist Financing, and Financial Crime Risk Management. These are areas where the gap between theoretical knowledge and practical readiness carries real consequences, and our trainers have operated in exactly these environments.

Our Governance, Risk and Compliance programmes address governance frameworks, regulatory compliance, audit oversight, and risk management, delivered by professionals who have navigated these structures from the inside.

Our ESG and Sustainability programmes cover governance and reporting, sustainability strategy, and climate and environmental compliance, reflecting how rapidly these obligations are growing for organisations of all sizes in the region.

Our Corporate Professional Development offering focuses on compliance capability building, risk management training, and leadership and governance programmes, designed for organisations that want to grow genuine internal expertise.

Where Automated Compliance Software Fits In

Practitioner knowledge builds capability. But in today’s regulatory environment, that capability needs to be supported by the right tools. That is where automated compliance software becomes an essential part of the conversation.

For professionals completing our programmes, understanding how automated compliance software functions, what it can manage, and where human judgement remains critical is increasingly central to what it means to be compliance-ready. Organisations that pair well-trained professionals with the right automated compliance software are better positioned to meet reporting requirements, manage risk exposure, maintain clean audit trails, and respond to regulatory change quickly and confidently.

At First Compliance, we treat automated compliance software as part of the broader compliance landscape our professionals need to understand and work within, not as a topic separate from training.

A KHDA-Approved Foundation for Compliance Training in Dubai

First Compliance exists because regulatory readiness cannot be built on shortcuts, and because the best compliance training comes from people who have lived it. Organisations that invest in practitioner-led, governed, and quality-assured training build the internal capability to manage compliance obligations with genuine confidence.

Whether you are building a compliance function from the ground up, strengthening an existing team, or ensuring your organisation meets the governance standards expected in Dubai and across the region, First Compliance brings the practitioner depth and the formal recognition to do it properly.

KHDA-Approved Training. Built for the Demands of Modern Compliance.

As compliance obligations grow more complex and automated compliance software becomes more deeply embedded in how organisations manage risk and governance, the professionals who perform best will be those who combine structured, practitioner-led knowledge with real operational readiness. First Compliance’s KHDA-approved compliance training programmes in Dubai are designed to build exactly that.

To find out more about our programmes or to discuss your organisation’s training needs, visit our Contact Us page.

Advanced Due Diligence in the Age of AI: A Strategic Workshop for Compliance Leaders

By First Compliance

Virtual Assets and Crypto AML in UAE 2026: VARA, DFSA Updates, and Compliance Essentials for VASPs c

Virtual Assets and Crypto AML in UAE 2026: VARA, DFSA Updates, and Compliance Essentials for VASPs

Introduction

The UAE has firmly established itself as one of the most active and tightly regulated jurisdictions for virtual assets in the world. As of 2026, crypto businesses operating anywhere in the Emirates are dealing with a rapidly evolving compliance landscape that touches everything from licensing requirements and transaction monitoring to risk assessments and anti-money laundering controls. Whether you are running a crypto exchange in Dubai mainland, a custodial service in the DIFC, or a payments platform onshore, understanding your regulatory obligations is no longer optional. It is a condition of staying in business.

This blog breaks down the key regulatory developments from VARA and the DFSA, the AML requirements that now apply to virtual asset service providers (VASPs) across the UAE, and how a purpose-built AML screening solution in Dubai can help your business meet these obligations without the operational chaos that often comes with compliance at scale.

The UAE Regulatory Landscape for Virtual Assets in 2026

The UAE does not have a single regulator for crypto. It has several, and each one governs a distinct jurisdiction. Understanding which regulator applies to your business is the foundation of any compliance programme.

VARA is Dubai’s dedicated regulator for virtual assets operating in onshore Dubai, outside of the DIFC. It handles licensing and regulating VASPs within its jurisdiction. The DFSA is the independent regulator of financial services within the Dubai International Financial Centre, with its own distinct framework for virtual assets. The Central Bank of the UAE plays a role in overseeing fiat-to-crypto transactions and regulates payment and digital banking services related to virtual assets.

In August 2025, the UAE’s Capital Markets Authority and VARA agreed on a shared framework to regulate virtual assets across the UAE, with the agreement including mutual recognition of VASP licenses issued by either authority.

For businesses operating across multiple jurisdictions within the UAE, compliance with one framework does not substitute for compliance with another. Each regulatory pathway carries its own licensing requirements, timelines, capital thresholds, and AML standards.

VARA Rulebook 2.0: What Changed in 2025 and Beyond

VARA continues to govern virtual asset activities in Dubai and most UAE free zones outside the DIFC, under VARA Rulebook Version 2.0 published in May 2025.

The updated rulebook introduced more detailed expectations around how licensed VASPs must structure their compliance and risk management functions. One of the most significant developments relates to on-chain transaction monitoring.

VARA’s Compliance and Risk Management Handbook specifies that monitoring of distributed ledger technology transactions must be combined with AML typologies such as unusual deposit and withdrawal patterns and other behavior analytics to inform the overall compliance process. This means that simply running periodic checks is no longer enough. VASPs are expected to have systems that connect on-chain wallet activity with their broader KYC and case management processes.

In November 2025, VARA issued a circular providing guidance to regulated VASPs on risk assessment requirements, following the May 2025 Risk Management Rulebook and a June 2025 national risk assessment circular.

Other key milestones include the enforcement of VARA’s Custody Rulebook from March 2025 and the Marketing Rulebook from June 2025, both of which carry fine risk for non-compliant licensed entities. The VARA Annual MLRO Certification Renewal deadline also fell in February 2026, requiring all licensed entities to renew their Money Laundering Reporting Officer credentials. Penalties for operating without a license or for AML breaches can be severe. Operating without a license can result in immediate cease-and-desist orders, asset freezes, and fines reaching AED 1 billion, and even licensed entities face sanctions for AML breaches, inadequate reporting, or governance failures.

DFSA Updates: The New Crypto Token Suitability Framework

For businesses operating in or from the DIFC, the DFSA rolled out a major update to its crypto token regulatory framework in January 2026.

The DFSA issued updated rules on the regulation of crypto tokens in the DIFC, which came into force on 12 January 2026. The updated rules refine and strengthen the regime first introduced in 2022 and mark the next phase in the continued development of the DFSA’s digital assets regulatory framework. Under the updated regime, firms providing financial services involving crypto tokens are directly responsible for determining, on a reasoned and documented basis, whether each crypto token they engage with meets the DFSA’s suitability criteria. The DFSA will no longer prescribe a list of recognized crypto tokens.

This shift moves the compliance burden directly onto firms. Previously, the DFSA maintained a closed list of recognized crypto tokens based on its own assessment. Under the amended approach, DFSA-authorized firms must perform and document their own suitability assessments for any crypto assets they custody, deal in, list, hold, or otherwise use in connection with regulated activities.

The suitability assessment must consider AML and CFT risks, sanctions exposure, anonymity-enhancing features, and whether the token can be effectively monitored using block chain analytics. Each firm must assess each crypto token it wishes to use for suitability and tailor that assessment to its own business model and the specific context in which the token will be used.

As of January 2026, the DFSA recognizes three fiat tokens, which are Circle Euro Coin (EURC), Circle USD Coin (USDC), and Ripple USD (RLUSD).

The practical implication is clear: DIFC-based firms now need internal compliance processes that are capable of producing structured, evidence-based token assessments. The quality of your documentation is now a regulatory requirement, not just an internal best practice.

AML Obligations for VASPs Under UAE Federal Law

At the federal level, 2025 brought a significant update that every VASP in the UAE needs to be aware of.

The UAE published the 2025 Federal Decree-Law on AML, CFT, and CPF, establishing new regulatory requirements for VASPs. As part of compliance, VASPs must conduct a mandatory GAP assessment of their current AML, CFT, and CPF policies, procedures, systems, and controls against the provisions of the 2025 Decree-Law. The deadline for submitting a completed GAP assessment was 60 calendar days from the issuance of the relevant circular, and this had to include clause-by-clause mapping, a board-approved remediation plan with owners, milestones, and target dates, and evidence of immediate risk-based mitigations for any high-risk gaps identified.

For many VASPs, this triggered an urgent internal review of their AML frameworks. Firms that had not yet invested in structured compliance infrastructure found themselves scrambling to produce documentation they did not have.

Core AML requirements for all VASPs operating in the UAE include customer due diligence and enhanced due diligence for high-risk clients, ongoing transaction monitoring with documented typologies, sanctions screening against UAE, UN, OFAC, and other applicable lists, PEP (Politically Exposed Person) screening at onboarding and on a periodic basis, suspicious transaction reporting to the UAE Financial Intelligence Unit, and maintenance of records for a minimum period in line with regulatory guidance.

An effective AML screening solution in Dubai needs to address all of these requirements in a single, integrated workflow rather than through disconnected manual processes.

What VASPs Must Have in Place: A Practical Compliance Checklist

Whether you are licensed under VARA, the DFSA, or working toward licensing under either framework, the following are the core compliance building blocks you need to have in place in 2026.

AML Screening and Sanctions Monitoring

Every customer and every transaction must be screened against the relevant sanctions lists at onboarding and on a continuous basis. This includes UAE Central Bank lists, UN consolidated lists, OFAC, EU, and UK sanctions, as well as local watch lists maintained by the Ministry of Economy and other UAE authorities. A reliable AML screening solution in Dubai automates this process and reduces the manual effort involved in managing false positives and escalations.

KYC and Customer Due Diligence

VARA and the DFSA both require VASPs to implement a risk-based KYC framework. This means collecting and verifying identity documents, understanding the nature and purpose of the business relationship, and applying enhanced due diligence to customers who present elevated risk. For crypto businesses, this also extends to understanding the source of crypto funds where transactions are large or unusual.

On-Chain Transaction Monitoring

As VARA’s Rulebook 2.0 makes clear, standard transaction monitoring is not enough for crypto businesses. On-chain KYT (Know Your Transaction) tools need to be integrated with your broader AML workflow so that wallet risk ratings, transaction histories, and behavioral patterns are visible to compliance teams alongside traditional account data.

Risk Assessment Documentation

Both VARA and the DFSA now place significant emphasis on documented risk assessments. Under VARA’s November 2025 circular, regulated VASPs must follow clear methodologies for their institutional and customer-level risk assessments. Under the DFSA’s January 2026 update, firms must produce reasoned and documented token-level suitability assessments. Without a system to manage this documentation, these requirements quickly become unmanageable.

Case Management and Reporting

Compliance teams need a centralized place to manage alerts, conduct investigations, and file reports. A good AML screening solution in Dubai will include case management functionality so that nothing falls through the cracks and audit trails are complete.

Why an AML Screening Solution in Dubai Matters for Crypto Compliance

Many VASPs come to the UAE with existing compliance tools that were built for traditional financial services or for lighter-touch regulatory environments. Those tools often fall short when applied to the specific demands of UAE crypto compliance.

The combination of VARA’s on-chain monitoring requirements, the DFSA’s firm-led token suitability framework, and the UAE’s federal AML decree means that compliance teams are managing a significantly larger and more complex set of obligations than they were even two years ago. Manually tracking sanctions hits, PEP flags, wallet risk ratings, and case documentation across spreadsheets or disconnected systems is not realistic at any meaningful scale.

A purpose-built AML screening solution in Dubai offers several practical advantages. It brings all screening, monitoring, and case management into one platform. It automates periodic re-screening so that customers who were clean at onboarding are checked again when new sanctions designations are issued. It provides audit-ready documentation that can be presented to VARA or DFSA inspectors without additional preparation. And it scales as the business grows, without requiring a proportional increase in compliance headcount.

First Compliance offers exactly this kind of platform for VASPs operating in the UAE. With modules covering sanctions screening, PEP screening, transaction monitoring, e-KYC with real-time face verification, risk management, regulatory reporting, and case management, it is designed to meet the compliance demands of both VARA and DFSA-regulated entities. The platform integrates with hundreds of global sanctions lists and adverse media sources and supports customizable workflows that can be adapted to the specific risk appetite and business model of each VASP.

Conclusion

The regulatory environment for virtual assets in the UAE is more structured, more demanding, and more consequential than ever before. VARA Rulebook 2.0, the DFSA’s January 2026 token suitability framework, and the 2025 Federal AML Decree have collectively raised the bar for what it means to be a compliant VASP in this jurisdiction. The expectations around on-chain monitoring, documented risk assessments, continuous sanctions screening, and qualified MLRO oversight are no longer aspirational standards. They are enforceable requirements with real penalties attached.

For VASPs that want to operate with confidence in the UAE market, investing in the right AML screening solution in Dubai is one of the most important steps you can take. The right tool does not just help you meet current requirements. It prepares you for the next round of regulatory updates, which in this market, are never far away.

To learn more about how First Compliance can support your VASP’s AML and compliance needs in the UAE, contact us.

Advanced Due Diligence in the Age of AI: A Strategic Workshop for Compliance Leaders

By First Compliance

CBUAE Inspections in the Insurance Sector: What to Expect, how to Respond, and Why Compliance Helps

If you run an insurance company in the UAE, a CBUAE inspection is not a question of if. It is a question of when and how ready you will be when it happens.

Since the Central Bank of the UAE took over the functions of the former Insurance Authority in 2020, its supervisory reach has grown considerably. Today, it conducts structured on-site inspections across insurance companies, reinsurers, agents, and brokers, looking closely at AML/CFT controls, governance frameworks, risk management, and customer protection standards. And since the UAE’s removal from the FATF grey list in 2024, the pace and intensity of enforcement have accelerated sharply.

Among the most scrutinised areas in any insurance inspection is PEP and sanctions screening in Dubai. Whether your controls are manual or automated, whether your coverage is complete or patchy, and whether your alert handling is documented or ad hoc, inspectors will look at all of it closely. This guide walks you through what a strong Sanctions Compliance Programme looks like, how the full Targeted Financial Sanctions workflow should operate, who is responsible for what, and how to build a training programme that holds up under regulatory review.

Why CBUAE Inspections Are Important

The UAE’s exit from the FATF grey list in 2024 was a significant milestone, but it came with a clear expectation: the UAE had to prove that its supervisory regime was genuinely effective, not just compliant on paper. The CBUAE responded in 2025 with one of its most aggressive enforcement campaigns to date, issuing large fines, licence revocations, restrictions, and personal sanctions against individuals in senior compliance roles.

Insurance companies are fully in scope. The CBUAE requires them to run comprehensive AML/CFT programmes covering customer due diligence, enhanced due diligence, suspicious transaction reporting, and sanctions screening, and insurers remain responsible for all of these controls even when certain functions have been delegated to agents or brokers.

Sanctions Compliance and Targeted Financial Sanctions: Getting It Right

Sanctions compliance is one of the areas where insurance companies are most frequently found wanting during CBUAE inspections. Weak or inconsistent PEP and sanctions screening in Dubai is a recurring finding, and the consequences range from formal warnings to personal sanctions against senior compliance officers. A properly structured Sanctions Compliance Programme is no longer optional. It is a baseline supervisory expectation.

What Is a Sanctions Compliance Programme?

A Sanctions Compliance Programme is the complete set of policies, procedures, controls, and oversight mechanisms an insurance company puts in place to ensure it does not do business with sanctioned individuals, entities, or jurisdictions. It is not simply a matter of having a sanctions list loaded into a system. It is a managed, documented process covering how customers are screened, how alerts are handled, how confirmed matches are escalated, and how the institution reports to regulators.

Understanding Targeted Financial Sanctions

Targeted Financial Sanctions, or TFS, are a specific and particularly time-sensitive category of sanctions obligation. They involve asset freezes and prohibitions on making funds or economic resources available to designated individuals, entities, and groups listed by the UN Security Council and the UAE’s own Local Terrorist List and Proliferation Financing List.

What makes TFS different from general sanctions compliance is the immediacy of the obligation. When a designated person or entity is identified, the requirement to freeze assets and report to the relevant authority applies without delay. There is no review window, no de minimis threshold, and no tolerance for a slow response. This is why the end-to-end TFS workflow must be clearly defined, consistently applied, and supported by technology that can keep pace with the obligation.

The End-to-End TFS Workflow

Step 1: Screening

Every customer must be screened against relevant sanctions lists at onboarding and continuously throughout the relationship. The lists that must be covered include the UN consolidated list, OFAC SDN, EU consolidated list, HM Treasury list, and the UAE’s own Local Terrorist List and Proliferation Financing List. Screening must extend beyond the customer to include beneficial owners, authorised signatories, and counterparties.

Effective PEP and sanctions screening in Dubai requires the screening system to be configured with appropriate fuzzy matching logic to catch name variations, transliterations, and spelling differences without generating an unmanageable volume of false positives. A system that throws up hundreds of alerts per week with no intelligent filtering is not a functioning compliance control. It is a noise generator that breeds alert fatigue and missed matches.

Step 2: Alert Handling

When a potential match is generated, the system raises an alert. A trained compliance analyst conducts an initial review to determine whether the alert is a true match, a false positive, or requires escalation. This review must be documented. The analyst checks identifying information against the listed individual or entity, considering name variations, date of birth, nationality, and any other available identifiers, and records the outcome with supporting evidence. No transactions involving the flagged customer may proceed while the alert remains open.

Step 3: Escalation

If the initial review cannot rule out a match, or if a confirmed match is identified, the case must be escalated immediately to the MLRO or Deputy MLRO. The MLRO determines whether the match is confirmed and triggers the asset freeze and reporting obligations. Senior management must be notified without delay. The escalation path must be pre-defined in the Sanctions Compliance Programme so that no one is unclear about what to do or who to contact when a real match is found.

Step 4: Regulatory Reporting

Confirmed TFS matches must be reported to the UAE Financial Intelligence Unit via the GoAML portal. The insurer must also notify the CBUAE and comply with any specific instructions issued in connection with the designation. All reporting must be completed without tipping off the designated person. Delays in reporting are treated as a serious compliance failure.

Step 5: Record Keeping and Ongoing Monitoring

All screening results, alert reviews, escalation decisions, and regulatory reports must be retained for a minimum of five years. Customers subject to confirmed or suspected TFS matches must remain under enhanced ongoing monitoring. The case management system must maintain a complete, time-stamped audit trail across every step of the workflow.

Mapping Roles and Functions in the TFS Workflow

One of the most common inspection findings in sanctions compliance is that responsibilities are unclear. Staff are unsure who owns the screening, who reviews alerts, and who escalates. A well-designed Sanctions Compliance Programme maps roles explicitly so there is no ambiguity when it matters most.

Function	Responsibilities
Front-line Operations	Collect customer data accurately at onboarding; flag unusual customer behavior; do not process transactions while alerts are open
Compliance Analyst	Conduct initial alert review and document outcome; escalate unresolved or confirmed matches to MLRO; maintain case records
MLRO / Deputy MLRO	Make final determination on confirmed matches; trigger freeze and reporting obligations; notify senior management; liaise with regulators
Senior Management	Receive escalation notifications; support resourcing of the compliance function; approve sanctions compliance policies
Board / Audit Committee	Receive regular reporting on TFS programme performance; approve the sanctions compliance framework; ensure tone from the top supports a compliance culture

Training Needs Analysis and Approved Training Plan

Sanctions training is not a tick-box exercise. The CBUAE expects evidence that different staff receive training appropriate to their role and that this training is documented, assessed, and refreshed regularly. A training needs analysis is the starting point.

Front-line operations staff need a foundational understanding of what sanctions are, what a TFS obligation means in practice, and what they must do when a potential match is flagged. They also need to understand the basics of PEP identification so that they can collect the right information at onboarding and flag concerns to the compliance team when something does not feel right.

Compliance analysts need more technical training covering how to review and document alerts, how to distinguish a true match from a false positive, when and how to escalate, and how to use the case management system to maintain a complete audit trail. Training on the specific mechanics of PEP and sanctions screening in Dubai, including the lists in scope, the matching methodology, and the regulatory timeline requirements, should be covered in depth.

The MLRO and Deputy MLRO require comprehensive training covering the full legal and regulatory framework, TFS reporting obligations, the GoAML portal, management of confirmed matches, and the personal consequences of reporting failures. Ongoing CPD is expected and should be evidenced.

Senior management and board members need awareness-level training focused on governance obligations, the strategic and reputational risk that sanctions non-compliance poses, and their personal accountability under UAE law.

The approved training plan should document the following for each staff category: training topic, delivery format (in-person, e-learning, or workshop), frequency (annual as a minimum for all, with additional refresher training whenever regulations or lists change), assessment method, and records of completion. Training materials must be kept current and reflect the most recent CBUAE guidance and changes to the UAE sanctions framework. Inspectors will ask to see completion records and will check dates against any regulatory updates to verify that training kept pace with change.

The Full Inspection Lifecycle: Pre-Exit, Exit, and Post-Inspection

Understanding what happens at each stage of a CBUAE inspection helps you manage the process without being caught off-guard.

Before the Inspection

When the CBUAE provides advance notice, use that window purposefully. Conduct an internal readiness review. Gather documentation across all inspection areas. Verify that your PEP and sanctions screening in Dubai is generating clean, auditable records and that your MLRO is briefed and ready to lead the response. This preparation period is your most valuable asset.

The Pre-Exit Meeting

Before inspectors formally conclude, they share preliminary observations with your team. Your compliance team can provide clarifications, supply additional documentation, and correct factual misunderstandings before findings are formalized. Come prepared with clear evidence of your controls and any corrective actions already underway. This signals institutional credibility.

The Exit Meeting

This is the formal close. The CBUAE presents its official findings and outlines remediation expectations. How you respond from this point forward shapes the regulator’s view of your institution.

How to Write a Strong Post-Inspection Response

A regulatory response is a formal commitment. Follow-up inspections will verify that those commitments have been kept.

Acknowledge each finding directly and without deflection. Identify the root cause of each issue, whether it is a system gap, a training shortfall, or a process breakdown.

Map each finding to a specific remediation action with a named owner and a realistic completion date. Vague commitments carry no weight. If the finding relates to inadequate PEP and sanctions screening in Dubai, specify what system is being implemented, what list coverage it provides, and when existing customers will be rescreened.

Update your AML/CFT policies and procedures to reflect the remediated controls, obtain board approval, version-control the documents, and ensure they are distributed to all relevant staff.

Put an internal monitoring mechanism in place to verify that remediation has actually been completed. A well-integrated compliance platform should provide the audit trail, the workflow evidence, and the reporting capability that regulators expect to see when they return.

How First Compliance Supports Insurance Companies in the UAE

First Compliance is a comprehensive compliance and due diligence software platform developed by a team of experts in law, compliance, and anti-financial crime, with a proven track record in regulatory compliance inspections, transaction monitoring, and AI-powered adverse media screening.

For insurance companies managing CBUAE inspection readiness, the platform covers every area inspector examine. It centralises customer data, screening results, risk scores, and case records in a single system so that when an inspector asks for evidence of CDD or sanctions processes, your team can produce complete, time-stamped records immediately.

The platform is integrated with hundreds of global sanctions lists and supports the full TFS workflow from automated screening through alert generation, case management, escalation tracking, and regulatory reporting. Every step is documented and auditable, supporting both the compliance analysts conducting initial reviews and the MLRO managing escalations and GoAML submissions.

For insurance companies that need reliable PEP and sanctions screening in Dubai that scales with regulatory expectations, First Compliance aligns with CBUAE guidelines, FIU requirements, free zone regulations, and DFSA and ADGM compliance standards, making it a locally grounded platform built for the UAE environment.

Frequently Asked Questions

What is the difference between a pre-exit meeting and an exit meeting

The pre-exit meeting happens while inspectors are still on-site and gives your team an opportunity to provide clarifications before findings are finalised. The exit meeting is the formal conclusion where the CBUAE presents official findings and outlines remediation expectations.

If you run an insurance company in the UAE, a CBUAE inspection is not a question of if. It is a question of when and how ready you will be when it happens.

How long does an insurance company have to respond to inspection findings?

The CBUAE typically specifies a response timeframe in the post-inspection communication. Serious findings may require responses within 30 days, while broader remediation plans may be given longer timelines. All deadlines should be treated as firm commitments.

What are the most common AML/CFT findings in insurance company inspections?

Incomplete customer due diligence files, failure to apply enhanced due diligence for high-risk customers and PEPs, absence of a documented transaction monitoring framework, late or missing GoAML suspicious transaction reports, inadequate PEP and sanctions screening coverage, and insufficient AML training records.

What penalties can an insurance company face for non-compliance?

Penalties range from financial fines to license suspension or revocation. Personal sanctions against senior management and compliance officers are increasingly common in the UAE. Repeated non-compliance escalates penalties significantly.

Can First Compliance help us prepare proactively for a CBUAE inspection?

Yes. First Compliance’s platform is designed to make insurance companies inspection-ready at all times through continuous compliance monitoring, automated PEP and sanctions screening, real-time transaction monitoring, and structured case management. To find out more or book a demo on our website.

Advanced Due Diligence in the Age of AI: A Strategic Workshop for Compliance Leaders

By First Compliance

What Is FATF? A Complete Guide for Businesses in the UAE and Kuwait

What Does FATF Stand For?

FATF stands for the Financial Action Task Force. In French it is called Groupe d’action financière (GAFI), which is why you will occasionally see that acronym in international regulatory documents alongside FATF.

It is an intergovernmental body, meaning it is composed of member countries and jurisdictions working together under a shared framework rather than being controlled by any single government or private organization.

When and Why Was FATF Created?

FATF was established in 1989 at the G7 Summit in Paris. The original concern was specific: drug trafficking profits were flooding into the global banking system, and no coordinated international mechanism existed to stop it.

The founding logic was simple but powerful. Criminal networks only survive because they can move, hide, and spend the money they make. Disrupt their access to the financial system and you disrupt the enterprise itself.

The mandate has grown significantly since 1989:

Year	Development
1989	FATF founded, focused exclusively on money laundering
1990	First 40 Recommendations published
2001	Mandate expanded to include counter-terrorist financing (CFT) after 9/11
2003	40 Recommendations revised and strengthened
2012	Third pillar added: counter-proliferation financing (CPF)
2019	Guidance on virtual assets and VASPs published
2022	UAE added to the Grey List
2024	UAE exits Grey List
2026	Kuwait added to the Grey List

What Are the Three Pillars FATF Works On?

Pillar	What It Means	Real-World Example
Anti-Money Laundering (AML)	Preventing criminals from disguising illegal funds as legitimate money	A drug trafficker buying real estate to clean cash
Counter-Terrorist Financing (CFT)	Stopping funds from reaching terrorist individuals or groups	Small transfers routed through shell accounts to fund an attack
Counter-Proliferation Financing (CPF)	Blocking financing for weapons of mass destruction programmes	Front companies procuring materials for a nuclear programme

Where Is FATF Based and Who Are Its Members?

FATF is headquartered in Paris, France, and operates within the OECD building. It is led by a rotating Presidency held by a member country for a two-year term.

As of 2026, FATF has:

40 member jurisdictions including the USA, UK, EU, China, India, Saudi Arabia, and the UAE
2 regional organisations as members (the Gulf Co-operation Council and the European Commission)
Over 200 jurisdictions committed to FATF standards through a global network of FATF-Style Regional Bodies (FSRBs)

Kuwait and the UAE are both members of MENAFATF, the Middle East and North Africa Financial Action Task Force, which is the FATF-Style Regional Body covering the Gulf region.

What Does FATF Actually Do?

FATF does four core things:

Sets the Global Standards: FATF publishes the 40 Recommendations, which are the internationally accepted standards for AML, CFT, and CPF. These are not legally binding treaties, but virtually every country in the world has adopted them into national law because failing to do so results in isolation from the global financial system.
Evaluates Countries FATF: and its regional bodies conduct Mutual Evaluation Reviews (MERs) of member countries. These are deep, independent assessments of how well a country has implemented the 40 Recommendations in both law and practice.
Maintains the Grey List and Black List: Based on MER findings and follow-up monitoring, FATF identifies countries with strategic deficiencies and places them under increased monitoring. More on this below.
Produces Guidance and Typologies: FATF regularly publishes guidance documents on specific risks, such as virtual assets, real estate, professional money laundering, and trade-based money laundering, to help countries and businesses understand emerging threats.

What Are the FATF 40 Recommendations?

The 40 Recommendations are the rulebook of global financial crime prevention. They cover every major area of AML/CFT/CPF compliance:

Category	Recommendations Cover
AML/CFT Policies and Coordination	National risk assessments, inter-agency cooperation
Money Laundering and Confiscation	Criminalisation of ML, asset seizure powers
Terrorist and Proliferation Financing	CFT laws, targeted financial sanctions
Preventive Measures	CDD, EDD, PEPs, correspondent banking, wire transfers
Transparency and Beneficial Ownership	Company registers, trust ownership disclosure
Powers and Responsibilities of Authorities	FIU functions, law enforcement powers
International Cooperation	Mutual legal assistance, extradition

Every regulated business in the UAE and Kuwait, whether a bank, exchange house, law firm, real estate broker, or crypto platform, operates under national laws built directly on these 40 Recommendations. For businesses seeking compliance monitoring software in Dubai, understanding these foundations is essential to choosing a platform that genuinely maps to regulatory obligations rather than just ticking boxes.

What Is a Mutual Evaluation Report (MER)?

A Mutual Evaluation Report is FATF’s formal assessment of a country’s AML/CFT/CPF system. It evaluates two dimensions:

Technical Compliance: Has the country passed the right laws and regulations? Do the rules on paper match the 40 Recommendations?

Effectiveness: Are those laws actually working? Are criminals being prosecuted? Are suspicious transactions being reported? Is the financial system genuinely protected?

A country can have technically sound laws and still fail on effectiveness if those laws are not being applied in practice. This distinction is critical, and it is exactly why Kuwait was greylisted in February 2026 despite having made significant technical progress following its 2024 MER.

What Is the FATF Grey List?

The Grey List, formally called “Jurisdictions Under Increased Monitoring,” is a public list of countries that have agreed to work with FATF to fix identified weaknesses in their AML/CFT/CPF systems within an agreed timeframe.

Being on the Grey List means:

The country has strategic deficiencies that pose a risk to the global financial system
The country has committed to an agreed action plan with specific milestones
FATF will monitor and report on progress at every Plenary (three times per year)
International financial institutions are expected to apply Enhanced Due Diligence to transactions and customers connected to that country

Being removed from the Grey List requires on-site verification by FATF that the action plan has been fully and effectively implemented.

Grey List vs Black List

List	Formal Name	What It Means	Current Members (2026)
Grey List	Jurisdictions Under Increased Monitoring	Strategic deficiencies exist; country is cooperating with FATF	22 jurisdictions including Kuwait
Black List	High-Risk Jurisdictions Subject to a Call for Action	Serious deficiencies; FATF calls on all countries to apply countermeasures	North Korea, Iran, Myanmar

Kuwait and the FATF Grey List: The Full Story

Kuwait's First Greylisting (2012 to 2015)

Kuwait was first placed on the FATF Grey List in 2012. At that time the deficiencies related to gaps in its AML/CFT legal framework, weak suspicious transaction reporting, and limited international cooperation. Kuwait addressed the required action items and was removed from the list in February 2015.

The 2024 Mutual Evaluation Report

In June 2024, FATF adopted Kuwait’s latest Mutual Evaluation Report. The findings were mixed. Kuwait had made meaningful technical progress, including adopting a new national AML/CFT/CPF strategy and updating key legislation. However, the effectiveness of the system was found to be significantly lacking.

Kuwait Added to the Grey List: February 2026

At the February 2026 Plenary in Mexico City, FATF formally placed Kuwait back on the Grey List. The specific deficiencies identified were:

A consistently low understanding of terrorist financing risks among relevant authorities
Prosecution focused on simple money laundering cases with a significant lack of complex case investigations
Insufficient outreach to real estate agents and Dealers in Precious Metals and Stones on suspicious transaction reporting
Beneficial ownership registry data that is not consistently accurate, complete, or updated
Low volume of investigations tied to cross-border currency movements and bearer negotiable instruments

Kuwait's Agreed Action Plan

To exit the Grey List, Kuwait must demonstrate verified progress on:

Action Item	What Is Required
STR reporting in DNFBPs	Sector-specific outreach to real estate and precious metals dealers including distribution of ML/TF indicators
Beneficial ownership accuracy	Registry data must be accurate, complete, and current; sanctions applied for non-compliance
Complex ML prosecutions	Increase investigations and prosecutions involving cross-border currency movements and complex predicate offences
TF risk understanding	Demonstrate that relevant authorities have an adequate and calibrated understanding of terrorist financing risks

Kuwait will remain on the Grey List until FATF conducts an on-site visit and verifies that each item has been fully and effectively addressed.

The UAE and FATF: From Grey List to Global Standard

The UAE's Greylisting in 2022

The UAE was placed on the FATF Grey List in March 2022. The listing reflected concerns about gaps in its AML/CFT/CPF framework across several sectors including real estate, gold trading, corporate service providers, and virtual assets.

A Period of Intensive Reform

Between 2022 and 2024, the UAE undertook one of the most comprehensive and rapid compliance reform programmes in FATF history:

New AML/CFT federal legislation and Cabinet Resolutions
Establishment of VARA as a dedicated virtual asset regulator
Strengthening of the UAE Financial Intelligence Unit and go AML platform
Significant increase in STR filings, ML investigations, and prosecutions
Crackdown on unlicensed money service businesses
Enhanced supervision of DNFBPs across real estate, gold, and legal services

During this period, the demand for reliable compliance monitoring software in Dubai grew sharply, as regulated entities raced to demonstrate that their internal controls were not just documented but genuinely operational and auditable.

The UAE Exits the Grey List: February 2024

In February 2024, FATF removed the UAE from the Grey List following a successful on-site assessment confirming that the agreed action plan had been fully implemented and was producing results. This was a landmark moment for the UAE’s positioning as a global financial and business hub.

The Ongoing Obligation

Exiting the Grey List does not mean compliance work is finished. UAE-regulated entities are legally required to continuously update their AML/CFT/CPF programmes in line with FATF updates. Kuwait’s greylisting in February 2026 is a direct trigger for UAE businesses to apply Enhanced Due Diligence to all Kuwait-linked customers and transactions.

What Does FATF Mean for Businesses in the UAE and Kuwait?

Whether you run a bank, a real estate firm, a law practice, an exchange house, or a crypto platform, FATF’s standards translate into real day-to-day compliance obligations:

FATF Requirement	What Your Business Must Do
Customer Due Diligence (CDD)	Verify every customer's identity and understand the nature of the relationship
Enhanced Due Diligence (EDD)	Apply deeper scrutiny to high-risk customers, PEPs, and customers from greylisted countries like Kuwait
Beneficial Ownership	Identify and verify the real human beings who ultimately own or control a legal entity
Suspicious Transaction Reporting	File STRs with the national FIU (goAML in UAE) when transactions cannot be explained
Record Keeping	Maintain customer and transaction records for a minimum period (five years in UAE, eight years for VASPs)
Risk Assessment	Conduct and regularly update a documented assessment of the ML/TF/PF risks your business faces
Screening	Screen customers, counterparties, and transactions against sanctions lists, PEP databases, and adverse media
Training	Ensure all relevant staff understand their AML/CFT obligations

Meeting these obligations manually across hundreds or thousands of customers is neither practical nor defensible to a regulator. This is why investing in purpose-built compliance monitoring software in Dubai is no longer a luxury for growing businesses. It is a baseline operational requirement.

How First Compliance Solution Helps Businesses in the UAE and Kuwait

Understanding FATF is step one. Building a compliance programme that actually meets every obligation, day after day, across hundreds or thousands of customers and transactions, is a different challenge entirely. That is where First Compliance Solution comes in.

First Compliance Solution is a full-spectrum AML/CFT compliance platform built by experts in law, compliance, and financial crime. It is designed specifically for the regulatory environment in the UAE and the broader Gulf region, and it maps directly to every FATF-driven obligation that regulated businesses face.

What the Platform Covers

For UAE Businesses

Following Kuwait’s greylisting in February 2026, UAE entities must immediately apply Enhanced Due Diligence to Kuwait-linked customers. First Compliance automates this process. When a customer’s risk profile changes because of a Grey List update, the system flags the account, triggers an EDD workflow, and documents every step for regulatory audit purposes. As the most trusted compliance monitoring software in Dubai, First Compliance Solution ensures that no Grey List update ever catches your business unprepared.

For Kuwait Businesses

Kuwait’s greylisting means local financial institutions and DNFBPs face intensified supervisory scrutiny. Building a defensible, documented, and effective AML/CFT programme is now an urgent priority. First Compliance Solution provides the infrastructure to do exactly that, whether your organisation is a bank, exchange house, real estate firm, or legal practice.

Compliance Need	First Compliance Solution Module
Customer identity verification	E-KYC with real-time face verification
Beneficial ownership capture and verification	Onboarding and Due Diligence
Risk-based customer scoring	Risk Management
Sanctions, PEP, and watchlist screening	Sanction Screening across hundreds of global lists
Ongoing transaction monitoring	Transaction Monitoring with real-time alerts
STR preparation and goAML filing	Regulatory Reporting
Case investigation and documentation	Compliance Case Management
Policy and record management	Document Management
Management oversight and reporting	Dashboard and Analytics
Regulatory deadline and review alerts	Alerts and Notifications

Why It Matters

FATF assessors evaluate both technical compliance and effectiveness. Having a policy document is not enough. You need to demonstrate that your controls actually work, that suspicious transactions are identified, that EDD is applied correctly, and that your risk assessments reflect your real exposure. First Compliance Solution creates a full audit trail across every function so that when a regulator or assessor asks for evidence, you have it.

For businesses in Kuwait now entering a period of heightened regulatory scrutiny, and for UAE businesses managing the knock-on obligations that come with every FATF Grey List update, deploying the right compliance monitoring software in Dubai is the single most impactful step a compliance team can take.

Visit firstcompliancesolution.com to request a demo and see how the platform can be configured for your sector, whether you are a bank, VASP, real estate firm, or any other regulated entity in the UAE or Kuwait.

Quick Reference: FATF Key Terms Glossary

Term	Plain English Meaning
AML	Anti-Money Laundering
CFT	Counter-Terrorist Financing
CPF	Counter-Proliferation Financing
MER	Mutual Evaluation Report: FATF's country assessment
Grey List	Countries under increased FATF monitoring
Black List	Countries subject to FATF countermeasures
CDD	Customer Due Diligence: verifying who your customer is
EDD	Enhanced Due Diligence: deeper checks for higher-risk customers
PEP	Politically Exposed Person: officials at higher risk of corruption
UBO	Ultimate Beneficial Owner: the real human behind a company
STR	Suspicious Transaction Report: a report filed with the FIU
FIU	Financial Intelligence Unit: the national body that receives STRs
goAML	UAE's FIU platform for submitting STRs
DNFBP	Designated Non-Financial Business or Profession (e.g. lawyers, real estate agents, accountants)
VASP	Virtual Asset Service Provider (e.g. crypto exchanges)
MENAFATF	The regional FATF body covering the Middle East and North Africa
Travel Rule	Requirement to pass sender and recipient data with virtual asset transfers

Summary

FATF is the global organization that sets the rules for fighting money laundering, terrorist financing, and proliferation financing. Its 40 Recommendations form the foundation of AML/CFT law in the UAE, Kuwait, and over 200 jurisdictions worldwide. Countries that fail to implement those rules effectively get placed on the Grey List, which triggers real consequences for their financial sectors and for businesses that deal with them.

Kuwait is on the Grey List as of February 2026. The UAE exited in February 2024 and must maintain the standards that got it off. For businesses operating in both countries, the compliance obligations are concrete, legally binding, and actively supervised.

First Compliance Solution gives you the technology to meet every one of those obligations, from customer onboarding and sanctions screening to transaction monitoring and regulatory reporting, all in one platform built for the Gulf’s regulatory reality.

UAE’s New AML Law 2025/2026: Key Changes Under Federal Decree-Law No. 10 and What Businesses Must Do Now

By First Compliance

Every Country on the FATF Grey List Right Now: Why They Are Listed and What It Means for Your Business

Introduction

As of 13 February 2026, the FATF Grey List includes 22 jurisdictions: Algeria, Angola, Bolivia, Bulgaria, Cameroon, Côte d’Ivoire, Democratic Republic of the Congo, Haiti, Kenya, Kuwait, Lao PDR, Lebanon, Monaco, Namibia, Nepal, Papua New Guinea, South Sudan, Syria, Venezuela, Vietnam, Virgin Islands (UK), and Yemen.

For every compliance officer, risk manager, and business operating in or from the UAE and Kuwait, this list is not background information. It is an active operational input that must be woven into customer risk scoring, transaction monitoring, EDD procedures, and enterprise-wide risk assessments. Every entity linked to any of these 22 jurisdictions requires heightened scrutiny.

The right governance risk and compliance software in Dubai makes this process systematic, documented, and defensible. This blog breaks down every greylisted country, why it was listed, what is required to fix it, and how First Compliance Solution equips your organization to manage the exposure.

What Greylisting Means in Practice

Grey-listed jurisdictions are not subject to FATF calls for enhanced due diligence or countermeasures. Instead, they are placed under increased monitoring, meaning they must demonstrate measurable progress in implementing FATF recommendations.

Despite the absence of mandatory countermeasures, greylisting has real consequences for businesses dealing with these countries:

Business Impact	What It Requires From You
Country risk ratings must be elevated	Update your Enterprise-Wide Risk Assessment immediately
Customer risk scoring recalibrated	Flag customers and counterparties from greylisted jurisdictions as higher risk
Enhanced Due Diligence required	Obtain source of funds, source of wealth, transaction purpose, and senior approval
Transaction monitoring intensified	Increase scrutiny of frequency, size, and patterns of transactions
STR obligations heightened	Any unexplained transactions involving greylisted countries must be reported via goAML
Correspondent banking reviews	International banks may apply restrictions on payments to/from these jurisdictions

The Five Most Significant Changes Explained

1. Proliferation Financing as a Standalone Offence

Perhaps the most consequential change in the new law is the introduction of proliferation financing (PF) as a distinct criminal offence, separate from broader counter-terrorism financing obligations. Under the 2018 framework, PF controls were embedded within general CTF provisions and were often treated as an extension of sanctions screening. The 2025 law demands a fundamentally different approach.
Businesses must now:

● Conduct a specific Proliferation Financing Risk Assessment (PFRA) that is separate from their general Business Risk Assessment
● Implement targeted financial sanctions (TFS) controls specifically designed to detect and prevent PF activity
● Document their PF risk exposure and the controls applied to mitigate it
● Train staff on PF typologies, red flags, and reporting obligations

This change alone will require most regulated entities to revisit their existing risk assessment frameworks from the ground up.

2. Tax Evasion as a Predicate Offence

Key Stats to Know

The explicit inclusion of tax evasion as a predicate offence to money laundering carries significant practical implications, particularly for businesses that serve high-net-worth individuals, corporate clients with complex cross-border structures, or customers operating in multiple jurisdictions.

Where previously tax matters were largely treated as a separate regulatory concern, compliance teams must now consider tax risk as part of their AML customer due diligence process. Enhanced due diligence for clients with opaque tax structures, offshore holdings, or exposure to high-risk jurisdictions is now an expectation, not a discretionary measure.

3. Virtual Assets and VASPs

The UAE has become one of the most active virtual asset markets in the world, and the 2025 law reflects that reality. Virtual Asset Service Providers are now explicitly brought within the scope of the AML framework, with obligations that mirror those applied to traditional financial institutions.
Key requirements for VASPs and entities transacting in virtual assets include:

● Full compliance with the Travel Rule for virtual asset transfers above threshold values
● Risk-based CDD on virtual asset customers, including source of funds verification
● Real-time sanctions screening against all relevant lists including OFAC, UN, and UAE local lists
● Suspicious Transaction Reporting for anomalous virtual asset activity
● Licensing verification of counterparty VASPs before processing transactions

4. Strengthened Beneficial Ownership Requirements

Beneficial ownership transparency has been a persistent weakness in the UAE’s AML framework, and the 2025 law addresses it directly. Regulated entities are now required to verify beneficial ownership information more rigorously at onboarding, review it more frequently throughout the relationship, and maintain records in a format that is accessible and auditable.

The practical implications are significant:

Ownership structures with multiple layers or complex corporate chains require deeper investigation
Passive reliance on customer-provided documentation is no longer sufficient
Ongoing monitoring must flag changes in ownership structure that could indicate emerging risk
Records must be maintained in a format that can be produced quickly to supervisory authorities

5. Enhanced Penalties and Supervisory Powers

The 2025 law grants supervisory authorities, including the Central Bank, CBUAE, SCA, VARA, and DFSA within their respective jurisdictions, significantly broader powers to investigate, sanction, and prosecute non-compliance. Penalties have been enhanced across the board, with fines reaching into the tens of millions of dirhams for serious or repeated breaches.

The Central Bank has already signaled the direction of travel, issuing approximately AED 350 million in AML-related fines in recent months. Under the new law, that enforcement posture is backed by an even stronger legal foundation.

Who Is Affected: Regulated Entities Under the New Law

The following categories of business fall within the scope of Federal Decree-Law No. 10 of 2025:

● Banks, exchange houses, and financial institutions
● Insurance companies and brokers
● Investment firms and asset managers
● Real estate agents and brokers
● Lawyers, notaries, and independent legal professionals
● Accountants and auditors
● Company formation agents and corporate service providers
● Dealers in precious metals and stones
● Virtual Asset Service Providers (VASPs)
● Free zone entities engaged in financial or designated non-financial activities

If your business falls into any of the above categories and you have not yet conducted a gap analysis against the new law, that process should begin immediately.

What Businesses Must Do Now: A Compliance Action Plan

Business Impact	What It Requires From You
Country risk ratings must be elevated	Update your Enterprise-Wide Risk Assessment immediately
Customer risk scoring recalibrated	Flag customers and counterparties from greylisted jurisdictions as higher risk
Enhanced Due Diligence required	Obtain the source of funds, the source of wealth, the transaction purpose, and senior approval
Transaction monitoring intensified	Increase scrutiny of frequency, size, and patterns of transactions
STR obligations heightened	Any unexplained transactions involving greylisted countries must be reported via goAML
Correspondent banking reviews	International banks may apply restrictions on payments to/from these jurisdictions

Grey-listing often triggers internal compliance changes, including EDD thresholds, transaction monitoring calibration, periodic review frequency, and approvals for higher-risk relationships.

The Complete FATF Grey List: All 22 Countries Explained

1. Algeria

Listed: October 2024

Regional Body: MENAFATF

Algeria was added to the grey list with an action plan specifying improvements around implementing risk-based supervision, establishing a framework for basic and beneficial ownership information, enhancing its suspicious transaction reporting procedures, applying financial sanctions for terrorism financing, and conducting oversight of the country’s non-profit sector.

Progress note: At the February 2026 Plenary, FATF made the initial determination that Algeria has substantially completed its action plan and warrants an on-site assessment to verify that the implementation of AML/CFT reforms has begun and is being sustained. Algeria is one of the closest countries to exiting the list.

2. Angola

Listed: October 2024

Regional Body: ESAAMLG

After the June 2023 adoption of its mutual evaluation report, Angola made progress on some of its recommended actions. However, the FATF identified deficiencies in the country’s AML/CFT regime, including its understanding of ML/TF risks, supervision of non-financial entities, low prosecution rates for criminal offences, and delays in implementing sanctions.

Remaining action plan items:

Enhance understanding of ML/TF risks
Improve risk-based supervision of non-banking entities and DNFBPs
Ensure competent authorities have accurate, timely access to beneficial ownership information
Demonstrate increased ML investigations and prosecutions
Demonstrate ability to identify, investigate, and prosecute terrorist financing
Implement targeted financial sanctions without delay

3. Bolivia

Listed: June 2025

Regional Body: GAFILAT

Since its last mutual evaluation report in 2023, Bolivia has made some progress on its recommended actions, including improving its understanding of ML/TF risks, strengthening its financial intelligence networks, and increasing its ability to investigate terrorist financing. However, this was not enough to prevent greylisting in June 2025.

Remaining action plan items:

Implement risk-based supervision of DNFBPs
Ensure beneficial ownership information is accurate and current
Increase ML investigations and prosecutions

4. Bulgaria

Listed: October 2023

Regional Body: MONEYVAL

Bulgaria’s greylisting was notable as it became the first EU member state placed on the FATF Grey List in over a decade. The deficiencies identified relate to the effectiveness of AML/CFT measures, including gaps in supervising higher-risk sectors, the quality of suspicious transaction reporting, and the effectiveness of prosecutions for complex money laundering cases.

Compliance note for UAE businesses: Bulgaria is an EU member state, and its greylisting has triggered specific EDD obligations for Bulgarian-connected transactions under UAE AML/CFT regulations.

5. Cameroon

Listed: October 2023

Regional Body: GABAC / FATF

Cameroon was identified as having strategic deficiencies across multiple dimensions of its AML/CFT/CPF framework, including gaps in financial sector supervision, limited effectiveness of suspicious transaction reporting, and weaknesses in beneficial ownership transparency across corporate structures. The country has been working through an action plan, but progress has been slower than the timeframe requires.

6. Côte d'Ivoire (Ivory Coast)

Listed: October 2024

Regional Body: GIABA

Despite making progress on some of its June 2023 MER’s recommendations, such as strengthening its legal AML/CFT framework, Côte d’Ivoire was added to the grey list in October 2024. The country will continue to work with FATF to implement its action plan, including by demonstrating a sustained increase in ML/TF prosecutions, strengthening its sanctions framework, and improving its measures to verify beneficial ownership information.

7. Democratic Republic of the Congo (DRC)

Listed: June 2024

Regional Body: GABAC / ESAAMLG

The DRC was greylisted due to systemic weaknesses in its AML/CFT framework. The key deficiencies identified include inadequate risk-based supervision of financial institutions and DNFBPs, very low volumes of suspicious transaction reporting, weak beneficial ownership transparency, and limited capacity to investigate and prosecute money laundering related to the country’s significant extractive industries and informal economy.

8. Haiti

Listed: June 2020

Regional Body: CFATF

Haiti has been on the grey list since 2020, making it one of the longest-running greylisted jurisdictions. Haiti chose to defer reporting at the February 2026 Plenary, meaning the statement issued previously for that jurisdiction is included in FATF’s publication but may not necessarily reflect the most recent status of its AML/CFT regime. Ongoing political instability, governance challenges, and gang-related criminal economies have made sustained AML/CFT reform deeply difficult.

9. Kenya

Listed: February 2024

Regional Body: ESAAMLG

Kenya was greylisted in February 2024 following its mutual evaluation, which identified persistent gaps in risk-based supervision of financial institutions and DNFBPs, weaknesses in beneficial ownership data quality, and insufficient prosecution of complex money laundering cases. Kenya is a significant regional financial hub, making its greylisting particularly impactful for businesses with East Africa exposure.

Progress note: At its February 2026 Plenary, FATF made the initial determination that Namibia has substantially completed its action plan and warrants an on-site assessment. Kenya is also progressing toward completion of its action plan, but has not yet reached the on-site assessment stage.

10. Kuwait

Listed: February 2026

Regional Body: MENAFATF

Kuwait is the most recently added jurisdiction of direct relevance to UAE-based businesses. After its initial 2015 removal, Kuwait was re-listed in February 2026 following the country’s 2024 MER. Critical shortcomings were highlighted with its AML/CFT framework, including an inadequate understanding of TF risks and a lack of investigations into complex ML cases. The country is also tasked with improving the implementation of targeted financial sanctions to ensure assets linked to terrorism can be promptly frozen.

Remaining action plan items:

Enhance outreach to real estate agents and Dealers in Precious Metals and Stones on STR reporting
Ensure beneficial ownership registry information is accurate, complete, and current
Increase ML investigations and prosecutions tied to cross-border currency movements
Improve understanding of terrorist financing risks across relevant authorities

For UAE-regulated entities, Kuwait’s greylisting is an immediate compliance trigger requiring EDD for all Kuwait-linked customers and counterparties.

11. Lao PDR (Laos)

Listed: February 2025

Regional Body: APG

Despite Laos’ steps to address recommendations from its 2023 MER, such as bolstering financial intelligence unit resources and eliminating bearer shares, the FATF found significant challenges remained regarding the country’s risk assessment process, regulatory oversight, and law enforcement effectiveness.

Remaining action plan items:

Improve national risk assessment processes
Strengthen regulatory oversight of financial institutions and DNFBPs
Improve law enforcement’s capacity to investigate and prosecute ML cases

12. Lebanon

Listed: October 2024

Regional Body: MENAFATF

The FATF placed Lebanon on the grey list in October 2024, citing the country’s AML/CFT risk assessments, its approach to asset recovery, and its lack of up-to-date beneficial ownership information as areas for improvement. The FATF has acknowledged the social, economic, and security-related difficulties Lebanon has faced since its invasion by Israel in October 2024, and has not recommended that enhanced due diligence or countermeasures be applied to the country.

Lebanon’s position is particularly sensitive given its deep integration with regional banking networks and the significant Lebanese diaspora with business connections across the Gulf.

13. Monaco

Listed: June 2024

Regional Body: MONEYVAL

Monaco, which has the highest concentration of millionaires and billionaires in the world, was added to the grey list in June 2024 due to insufficient progress in combating illicit financial flows. This decision follows a January 2023 review by MONEYVAL, which found that while Monaco had made some progress in identifying ML/TF threats, significant gaps remained in its investigative and prosecutorial capabilities.

Monaco’s greylisting is particularly significant for wealth management firms, private banking operations, and luxury real estate professionals in Dubai who manage clients with Monaco-connected assets or residency.

14. Namibia

Listed: February 2025

Regional Body: ESAAMLG

Namibia was added to the grey list in February 2025 following identified weaknesses in its AML/CFT framework, including gaps in risk-based supervision, low beneficial ownership transparency, and insufficient prosecution activity. At the February 2026 Plenary, FATF made the initial determination that Namibia has substantially completed its action plan and warrants an on-site assessment. Namibia is among the most advanced countries in working toward removal.

15. Nepal

Listed: February 2025

Regional Body: APG

While Nepal made legislative amendments in 2024 to align with FATF standards, the country has struggled with implementation and enforcement, particularly in financial sector oversight, prosecutorial effectiveness, and regulatory compliance. The Asia/Pacific Group on Money Laundering had previously flagged Nepal’s slow response to key recommendations from its 2022 MER, which highlighted persistent gaps in monitoring high-risk sectors and financial crime enforcement.

Nepal’s large remittance economy and close financial ties with Gulf countries, including the UAE, make its greylisting relevant to exchange houses and payment service providers operating across the Gulf.

16. Papua New Guinea (PNG)

Listed: February 2026

Regional Body: APG

Papua New Guinea was added to the grey list in February 2026, a decade after its 2016 removal. Although the country made technical improvements following its first listing in 2014, its 2024 mutual evaluation revealed significant systemic AML/CFT failures. The FATF identified significant deficiencies in criminal prosecutions for ML and in the supervision of high-risk sectors, including DNFBPs.

PNG will work with FATF to implement its action plan by improving its understanding of ML risks and endorsing the National AML/CFT/CPF Strategic Plan, proactively seeking outbound international cooperation to identify and trace criminal property abroad, improving risk-based supervision of banks, MVTS and FX dealers, and higher-risk DNFBPs, and demonstrating an increase in ML investigations, prosecutions, and confiscation of criminal proceeds.

17. South Sudan

Listed: October 2021

Regional Body: ESAAMLG

South Sudan has been on the grey list since October 2021, with deficiencies spanning nearly every dimension of AML/CFT compliance, including national risk assessment, financial sector supervision, beneficial ownership transparency, STR reporting, and international cooperation. Ongoing conflict, political instability, and weak institutional infrastructure have made reform progress slow.

18. Syria

Listed: October 2010

Regional Body: MENAFATF

Syria has been on the FATF Grey List since 2010, making it one of the longest-standing entries in the list’s history. Syria chose to defer reporting at the February 2026 Plenary, and the statement issued previously for that jurisdiction may not necessarily reflect the most recent status of its AML/CFT regime. The country’s prolonged conflict, near-total institutional collapse, and severe sanctions exposure make it effectively a no-go zone for regulated businesses.

19. Venezuela

Listed: June 2024

Regional Body: GAFILAT

In early 2022, an assessment team visited Venezuela to prepare the country’s MER. The team raised concerns about ML risks associated with the nation’s large informal economy, including illegal mining. They also highlighted terrorist financing threats linked to the close economic alliance between Caracas and Tehran. Consequently, Venezuela was added to the grey list in June 2024.

Venezuela also remains subject to significant international sanctions from the US, EU, and UK, which compound the compliance obligations associated with Venezuelan-linked transactions.

20. Vietnam

Listed: June 2023

Regional Body: APG

Vietnam was greylisted in June 2023 following a mutual evaluation that identified deficiencies in risk-based supervision, beneficial ownership transparency, and effectiveness of AML/CFT controls across its rapidly growing financial services and real estate sectors. Vietnam’s integration into global trade and manufacturing supply chains makes it an active area of compliance concern for UAE trade finance and corporate service businesses.

21. Virgin Islands (UK)

Listed: June 2025

Regional Body: CFATF

In June 2025, the FATF tasked the British Virgin Islands with enhancing risk-based supervision of investment firms, virtual asset service providers, and trust or company service providers, ensuring beneficial ownership information is available to the authorities, and systematically pursuing ML investigations. The jurisdiction has made some progress since its most recent MER, such as increasing requests for international cooperation and risk-assessing its non-profit sector.

The BVI’s greylisting is of direct relevance to UAE corporate service providers, law firms, and wealth management businesses that frequently incorporate structures using BVI entities.

22. Yemen

Listed: February 2010

Regional Body: MENAFATF

Yemen has been on the grey list since 2010. In June 2014, the FATF determined that Yemen had substantially addressed its action plan at a technical level, but due to the security situation, FATF has been unable to conduct an on-site visit to confirm whether the process of implementing the required reforms has begun and is being sustained. The FATF will conduct an on-site visit at the earliest possible date. Over a decade later, Yemen’s security situation has not permitted that visit, making it effectively a permanent entry on the list under current conditions.

Summary Table: All 22 Grey List Countries at a Glance

Country	Region	Date Listed	Primary Deficiencies	Status
Algeria	MENA	Oct 2024	Supervision, beneficial ownership, STR, TF sanctions	Near on-site assessment
Angola	Africa	Oct 2024	ML/TF risk understanding, supervision, prosecutions	Active action plan
Bolivia	Latin America	Jun 2025	DNFBP supervision, beneficial ownership, ML prosecutions	Active action plan
Bulgaria	Europe (EU)	Oct 2023	Supervision, STR quality, complex ML prosecutions	Active action plan
Cameroon	Africa	Oct 2023	Financial sector supervision, STR, beneficial ownership	Active action plan
Côte d'Ivoire	Africa	Oct 2024	ML/TF prosecutions, sanctions, beneficial ownership	Active action plan
DR Congo	Africa	Jun 2024	Supervision, STR, beneficial ownership, extractive sector	Active action plan
Haiti	Caribbean	Jun 2020	Governance, supervision, all areas	Deferred reporting
Kenya	Africa	Feb 2024	DNFBP supervision, beneficial ownership, complex ML	Active action plan
Kuwait	MENA	Feb 2026	TF risk understanding, complex ML, DNFBP STR, beneficial ownership	New listing
Lao PDR	Asia	Feb 2025	Risk assessment, regulatory oversight, law enforcement	Active action plan
Lebanon	MENA	Oct 2024	Risk assessments, asset recovery, beneficial ownership	Active action plan
Monaco	Europe	Jun 2024	Investigations, prosecutions, illicit financial flows	Active action plan
Namibia	Africa	Feb 2025	Supervision, beneficial ownership, prosecutions	Near on-site assessment
Nepal	Asia	Feb 2025	Supervision, enforcement, sector monitoring	Active action plan
Papua New Guinea	Pacific	Feb 2026	ML risk understanding, supervision, prosecutions, confiscation	New listing
South Sudan	Africa	Oct 2021	National risk assessment, supervision, STR, all areas	Active action plan
Syria	MENA	Oct 2010	All areas; conflict-affected	Deferred reporting
Venezuela	Latin America	Jun 2024	Informal economy ML, TF, illegal mining	Active action plan
Vietnam	Asia	Jun 2023	Supervision, beneficial ownership, real estate sector	Active action plan
Virgin Islands (UK)	Caribbean	Jun 2025	VASP supervision, beneficial ownership, ML investigations	Active action plan
Yemen	MENA	Feb 2010	All areas; conflict-affected; on-site not possible	Awaiting on-site visit

Recent Removals: Countries That Exited the Grey List

Understanding which countries successfully exited the Grey List is just as important for risk management. These removals demonstrate what full action plan implementation looks like in practice:

Country	Removed	Key Reforms That Secured Removal
South Africa	Oct 2025	Improved STR quality, increased ML prosecutions, stronger DNFBP supervision
Nigeria	Oct 2025	Completed ML/TF risk assessment, enhanced high-risk sector controls, improved beneficial ownership
Mozambique	Oct 2025	Inter-agency coordination, TF risk assessment, AML/CFT strategy implementation
Burkina Faso	Oct 2025	Risk-based supervision, beneficial ownership maintenance, TF law enforcement
Philippines	Feb 2025	Casino sector reform, TF prosecution capacity, international cooperation
Croatia	Jun 2025	TF detection, non-profit sector oversight, UN financial sanctions implementation
Tanzania	Jun 2025	Risk-based supervision, prosecutorial effectiveness, FIU capability
UAE	Feb 2024	Comprehensive legislative overhaul, VARA establishment, STR surge, DNFBP crackdown

The Common Threads: Why Countries Keep Getting Listed

Across all 22 greylisted jurisdictions, several deficiency types appear repeatedly. These are the areas where global AML/CFT frameworks most commonly break down:

Beneficial Ownership Transparency: Appearing in the action plans of Algeria, Angola, Bolivia, Côte d’Ivoire, Kenya, Kuwait, Lebanon, Namibia, the Virgin Islands, and others. The ability to identify who ultimately owns and controls a company is foundational to AML/CFT, and it remains the most widespread weakness globally.

Risk-Based Supervision: Effective supervision requires regulators to allocate their resources to the highest-risk entities and sectors. Most greylisted countries apply a rule-based approach that treats all entities the same, leaving high-risk areas under-supervised.

STR Reporting Quality and Volume: Suspicious Transaction Reports are the primary intelligence tool of financial intelligence units. In most greylisted countries, STR volumes are too low, the quality of analysis is insufficient, or DNFBPs are largely not filing at all.

ML/TF Prosecutorial Effectiveness: Having criminalisation laws on paper is not enough. FATF requires demonstrated prosecutions, particularly for complex cases. Most greylisted countries prosecute only simple, low-value ML cases while complex predicate offences go uninvestigated.

Targeted Financial Sanctions Implementation: The ability to freeze assets linked to designated terrorist individuals and entities without delay is a core FATF requirement. Many greylisted countries have the legal framework but fail to act swiftly in practice.

What UAE and Kuwait Businesses Must Do Right Now

Given that two MENA-region countries are now on the Grey List and multiple others maintain links to Gulf financial flows, regulated entities in the UAE and Kuwait face a specific and immediate compliance obligation:

Review your customer base and identify any clients with connections to all 22 greylisted jurisdictions, not just Kuwait
Update Enterprise-Wide Risk Assessments to reflect the February 2026 Grey List
Apply or intensify EDD for customers from Monaco (wealth management), BVI (corporate structures), Lebanon (banking), and Bulgaria (EU-based entities) as well as Kuwait and PNG
Recalibrate transaction monitoring thresholds and typology libraries for greylisted country exposure
Review beneficial ownership information for any corporate clients incorporated in or connected to greylisted jurisdictions
File STRs for any transactions that cannot be risk-justified post-EDD review
Update internal policies, procedure manuals, and staff training materials

How First Compliance Solution Helps You Manage Grey List Exposure

Managing 22 greylisted jurisdictions, each with different risk profiles, regional contexts, and compliance triggers, is a task that cannot be done manually at scale. This is where purpose-built governance risk and compliance software in Dubai becomes the critical infrastructure of your compliance programme.

First Compliance Solution is a comprehensive, AI-powered platform that brings together every module your team needs to manage grey list exposure across your entire customer base.

How the Platform Addresses Each Grey List Challenge

Sanctions and Jurisdiction Screening: First Compliance integrates with hundreds of global sanctions lists, PEP databases, and watchlists. When FATF updates the Grey List in February, June, or October, your screening configuration reflects the change. Every customer and counterparty linked to a greylisted jurisdiction is flagged automatically. No manual list management. No gaps.

Risk-Based Customer Scoring: The platform’s Risk Management module allows you to configure country-level risk weighting into your customer risk scoring model. A customer from Kuwait or Lebanon automatically scores higher and triggers an EDD workflow, regardless of which compliance officer is handling the case.

Automated EDD Workflows: EDD for greylisted country customers requires collecting additional information, including source of funds, source of wealth, transaction purpose, and senior management approval. First Compliance’s Compliance Case Management module structures this workflow, ensures it is completed, and creates a full, documented audit trail for every case.

Transaction Monitoring With Grey List Calibration: The Transaction Monitoring module screens transactions in real time, with configurable rules and thresholds that can be set differently for customers from greylisted jurisdictions. A transaction that is unremarkable for a low-risk customer becomes a priority alert when the counterparty is based in a greylisted country.

Regulatory Reporting: When a transaction cannot be risk-justified and must be reported as an STR to the UAE FIU via go AML, First Compliance’s Regulatory Reporting module supports the full preparation, review, and submission workflow.

As the most comprehensive governance risk and compliance software in Dubai for regulated entities managing multi-jurisdictional exposure, First Compliance Solution turns the February 2026 FATF update from a reactive scramble into a systematic, automated response.

Platform Modules Mapped to Grey List Management Obligations

Compliance Obligation	First Compliance Solution Module
Grey list jurisdiction screening at onboarding	Sanction Screening
Customer risk scoring with country risk weighting	Risk Management
EDD workflows for greylisted country customers	Onboarding and Due Diligence
Beneficial ownership capture and verification	E-KYC with real-time face verification
Transaction monitoring for greylisted country exposure	Transaction Monitoring
Case management and EDD documentation	Compliance Case Management
STR preparation and goAML submission	Regulatory Reporting
Policy and procedure document management	Document Management
MLRO dashboards and risk reporting	Dashboard and Analytics
Regulatory deadline alerts	Alerts and Notifications

For UAE businesses managing exposure to all 22 greylisted jurisdictions simultaneously, and for Kuwait-based entities now building their AML/CFT infrastructure under increased FATF scrutiny, the platform provides the end-to-end operational backbone that manual compliance simply cannot replicate.

Investing in robust governance risk and compliance software in Dubai is no longer a choice reserved for large financial institutions. Every regulated DNFBP, exchange house, law firm, real estate broker, and VASP faces the same Grey List obligations, and every one of them needs a system that keeps pace with every FATF update.

Contact us to request a demo and see how the platform can be configured to your sector’s specific obligations under the UAE and Kuwait AML/CFT law.

Conclusion

The FATF Grey List is a living, changing document. In the past twelve months alone, eight countries were removed, and four were added. The February 2026 update brought Kuwait and Papua New Guinea onto the list, leaving 22 jurisdictions under increased monitoring. At the June 2026 Plenary, the list will change again.

For businesses in the UAE and Kuwait, keeping pace with every Grey List update is a legal obligation, not an optional best practice. The countries on this list represent real exposure in your customer base, your transaction flows, and your correspondent relationships.

With governance risk and compliance software in Dubai from First Compliance Solution, every Grey List update becomes an automated system trigger rather than a manual compliance crisis. Your risk scores update, your EDD workflows activate, and your audit trail documents every decision, all without your team having to start from scratch each time the FATF meets.

Contact us to find out how the platform can be configured for your specific sector, customer base, and regulatory obligations.

Preparing for FATF Mutual Evaluation UAE 2026: What Regulators Will Scrutinize and How to Stay Compliant

By First Compliance

UAE’s New AML Law 2025/2026: Key Changes Under Federal Decree-Law No. 10 and What Businesses Must Do Now

UAE's New AML Law 2025/2026: Key Changes Under Federal Decree-Law No. 10 and What Businesses Must Do Now

On 14 October 2025, the UAE took one of its most significant legislative steps in the fight against financial crime. Federal Decree-Law No. 10 of 2025 came into force, repealing and replacing the previous AML law that had governed the country’s anti-money laundering framework since 2018. This is not a minor update. It is a comprehensive overhaul, and every regulated business operating in the UAE needs to understand exactly what has changed, what is now required, and what the cost of non-compliance looks like in 2026.

With the FATF Mutual Evaluation scheduled for June 2026, the timing of this legislation is deliberate. The UAE is signaling to international assessors that its legal framework is not just reformed on paper but is being actively enforced. For compliance officers, legal teams, and business owners across the Emirates, the window to align with the new law is already narrowing.

Why This Law Was Introduced

The UAE’s removal from the FATF grey list in February 2024 marked a turning point, but it also came with an implicit expectation: that the country would continue strengthening its AML/CFT architecture rather than ease off once the immediate pressure had passed. Federal Decree-Law No. 10 of 2025 is the legislative centerpiece of that continued commitment.

The new law addresses gaps that the 2020 Mutual Evaluation identified, incorporates the findings of the UAE’s third National Risk Assessment published in April 2025, and aligns domestic legislation more closely with the FATF’s evolving global standards. It also reflects the realities of a financial landscape that looks very different from 2018, including the rapid growth of virtual assets, the increasing sophistication of financial crime, and the UAE’s expanded role as a global trading and investment hub.

Key Changes Under Federal Decree-Law No. 10 of 2025

Area of Change	Previous Position (2018 Law)	New Position (2025 Law)
Proliferation Financing	Addressed within broader CTF provisions	Now a standalone criminal offence with specific obligations
Predicate Offences	Limited list of underlying crimes	Expanded to explicitly include tax evasion
Virtual Assets	Limited coverage	Explicit inclusion of VASPs and digital asset transactions
Beneficial Ownership	General obligations	Strengthened verification and record-keeping requirements
Penalties	Existing penalty framework	Significantly enhanced fines and criminal sanctions
Digital Systems	Not explicitly addressed	Explicitly covered, including digital onboarding and e-KYC
Risk-Based Approach	Encouraged	Mandated with documented evidence of application
STR Obligations	Existing framework	Expanded scope of reporting triggers and timelines
Supervisory Powers	Existing framework	Broader powers granted to supervisory authorities
Cross-Border Cooperation	General provisions	Strengthened mutual legal assistance and information sharing

The Five Most Significant Changes Explained

1. Proliferation Financing as a Standalone Offence

● Conduct a specific Proliferation Financing Risk Assessment (PFRA) that is separate from their general Business Risk Assessment
● Implement targeted financial sanctions (TFS) controls specifically designed to detect and prevent PF activity
● Document their PF risk exposure and the controls applied to mitigate it
● Train staff on PF typologies, red flags, and reporting obligations

This change alone will require most regulated entities to revisit their existing risk assessment frameworks from the ground up.

2. Tax Evasion as a Predicate Offence

Key Stats to Know

3. Virtual Assets and VASPs

● Full compliance with the Travel Rule for virtual asset transfers above threshold values
● Risk-based CDD on virtual asset customers, including source of funds verification
● Real-time sanctions screening against all relevant lists including OFAC, UN, and UAE local lists
● Suspicious Transaction Reporting for anomalous virtual asset activity
● Licensing verification of counterparty VASPs before processing transactions

4. Strengthened Beneficial Ownership Requirements

The practical implications are significant:

Ownership structures with multiple layers or complex corporate chains require deeper investigation
Passive reliance on customer-provided documentation is no longer sufficient
Ongoing monitoring must flag changes in ownership structure that could indicate emerging risk
Records must be maintained in a format that can be produced quickly to supervisory authorities

5. Enhanced Penalties and Supervisory Powers

Who Is Affected: Regulated Entities Under the New Law

The following categories of business fall within the scope of Federal Decree-Law No. 10 of 2025:

If your business falls into any of the above categories and you have not yet conducted a gap analysis against the new law, that process should begin immediately.

What Businesses Must Do Now: A Compliance Action Plan

Action	Priority	Timeline
Conduct gap analysis against Federal Decree-Law No. 10	Critical	Immediately
Update Business Risk Assessment to include PF risk	Critical	Within 30 days
Review and update CDD and EDD procedures	High	Within 30 days
Update sanctions screening to cover all required lists	Critical	Immediately
Implement or review Travel Rule compliance (VASPs)	High	Within 30–60 days
Retrain staff on new typologies, PF, and tax evasion	High	Within 60 days
Review beneficial ownership verification procedures	High	Within 30 days
Update AML policies and procedures manual	High	Within 45 days
Conduct board-level briefing on new obligations	Medium	Within 30 days
Stress-test transaction monitoring rule sets	Medium	Within 60 days
Prepare evidence pack for regulatory inspection	Medium	Within 90 days

The Role of Technology in Meeting the New Standard

The obligations introduced under Federal Decree-Law No. 10 are not achievable through manual processes alone. The volume, complexity, and speed of data required to meet the new law’s expectations demand a technology-led approach. This is where investing in robust AML compliance software becomes not just useful but essential. A capable platform enables regulated entities to:

● Screen customers and transactions against hundreds of global and local sanctions lists in real time
● Apply dynamic, risk-based scoring to customer profiles that updates automatically as new information emerges
● Monitor transactions continuously for patterns consistent with money laundering, proliferation financing, or tax evasion
● Generate and file Suspicious Transaction Reports within the required timeframes
● Maintain auditable records of every compliance decision for regulatory inspection
● Produce management information and board-level reporting on compliance performance
● Document the application of a risk-based approach in a format assessor can verify

Without the right technology embedded in your operations, the gap between what the law now requires and what your organization can demonstrate is likely to be significant.

Common Gaps Regulators Will Identify in 2026

Based on the new law’s provisions and the FATF’s 5th Round Methodology, the following weaknesses are most likely to be identified during supervisory inspections and the June 2026 Mutual Evaluation:

● Proliferation financing risk assessments that are absent, generic, or not tailored to the specific business model
● Transaction monitoring systems that generate high volumes of false positives but miss genuine suspicious activity
● CDD files that are incomplete, outdated, or do not reflect the current risk rating of the customer
● STR filings that are low in volume, poor in quality, or submitted outside required timeframes
● Beneficial ownership records that cannot be verified independently or accessed quickly
● Staff training that is annual and tick-box rather than ongoing and risk-informed
● Governance structures where the compliance function lacks sufficient seniority, resource, or board access

Each of these gaps is both a regulatory risk and an operational vulnerability. Addressing them before an inspection is infinitely preferable to explaining them during one.

How First Compliance Supports Full Alignment with the New Law

At First Compliance, we have developed our platform specifically for regulated entities operating within the UAE’s legal and regulatory environment. Every module is built to address the obligations that matter most under Federal Decree-Law No. 10 of 2025 and the broader FATF framework. For any regulated business searching for dependable AML compliance software, our solution is purpose-built for exactly this environment.

Our platform covers:

● Sanctions and PEP Screening – real-time screening against hundreds of global lists including OFAC, UN, EU, HM Treasury, and UAE local lists
● eKYC and Customer Due Diligence – automated, risk-scored onboarding with full document management and beneficial ownership mapping
● Transaction Monitoring – AI-powered detection of suspicious patterns with customizable rule sets aligned to current UAE typologies
● Proliferation Financing Controls – dedicated modules supporting PFRA and TFS compliance
● Regulatory Reporting – structured STR and CTR workflows that ensure accurate, timely filing
● Case Management – complete audit trails for every alert, investigation, and compliance decision
● Risk Management – dynamic customer risk scoring that reflects a genuine risk-based approach
● Dashboard and Analytics – real-time management information for compliance officers and board-level reporting

Whether you are a bank, a VASP, a DNFBP, or a free zone entity, our platform scales to your size, your risk profile, and your regulatory obligations.

The Bottom Line

Federal Decree-Law No. 10 of 2025 has raised the bar for AML compliance in the UAE in a way that cannot be addressed through policy updates alone. It demands operational change, technological investment, and a genuine culture of compliance that runs from the front line to the boardroom.

With the FATF Mutual Evaluation arriving in June 2026, the question is not whether your organization will face scrutiny. It is whether you will be ready when it arrives.

The businesses that act now, closing gaps, upgrading systems, and embedding the new law’s requirements into daily operations, will not only survive the evaluation. They will demonstrate the kind of institutional commitment that regulators and international partners are looking for.

Take the Next Step with First Compliance

Do not wait for a regulatory inspection to discover where your gaps are. First Compliance gives you the tools, the data, and the audit trail to face the new AML landscape with confidence. Our AML compliance software is trusted by regulated entities across the UAE to deliver exactly the kind of operational readiness that the new law demands.

Schedule your free demo today at First Compliance and let our team show you exactly how our platform aligns with Federal Decree-Law No. 10 of 2025, the FATF’s 5th Round requirements, and the supervisory expectations of 2026.

Your compliance framework should be an asset, not a vulnerability. Let us help you make it one.

Advanced Due Diligence in the Age of AI: A Strategic Workshop for Compliance Leaders

By First Compliance

Preparing for FATF Mutual Evaluation UAE 2026: What Regulators Will Scrutinize and How to Stay Compliant

The UAE has come a long way. Removed from the FATF grey list on 23 February 2024 after being placed under increased monitoring in March 2022, the country has demonstrated a serious commitment to strengthening its AML/CFT framework. But with the UAE’s next mutual evaluation by the FATF scheduled for June 2026, the work is far from over. In fact, for regulated entities across the UAE, the real pressure is only just beginning.

This evaluation will be conducted under the FATF’s 5th Round Methodology, which applies tighter scrutiny, a faster cycle, and a sharper focus on effectiveness rather than mere technical compliance. For financial institutions, DNFBPs, and compliance officers operating in the UAE, understanding what assessors will scrutinise is not optional. It is urgent.

Why This Evaluation Matters More Than the Last

The 2020 Mutual Evaluation exposed significant weaknesses in the UAE’s AML/CFT system, ultimately leading to grey listing. Since then, the UAE has enacted sweeping reforms. Federal Decree-Law No. 10/2025, which came into effect on 14 October 2025, repealed and replaced the 2018 AML law, introducing standalone offences for proliferation financing, expanding predicate offences to include tax evasion, and explicitly covering digital systems and virtual assets.

The UAE has also launched a national strategy for AML, CTF and proliferation financing for 2024 to 2027, developed on the basis of its third National Risk Assessment, published in April 2025.

Despite this progress, regulators will expect to see that reforms are not just enacted on paper but embedded in day-to-day institutional practice. That distinction, between formal compliance and operational effectiveness, is precisely where the 2026 evaluation will probe hardest.

Why This Evaluation Matters More Than the Last

Focus Area	What Assessors Will Look For
Beneficial Ownership	Accurate, up-to-date records; effective verification at onboarding
Transaction Monitoring	Real-time detection of suspicious patterns; STR filing quality and volume
Sanctions Screening	Coverage of all relevant lists; speed and accuracy of screening
Virtual Assets	Compliance with Travel Rule; VASP licensing and oversight
Customer Due Diligence	Risk-based approach; enhanced DD for high-risk customers
Regulatory Reporting	Timeliness, completeness and accuracy of STRs and CTRs
Proliferation Financing	Controls aligned with new Federal Decree-Law No. 10/2025
Cross-Border Cooperation	Mutual Legal Assistance requests; information sharing evidence

The 11 Immediate Outcomes: Where Gaps Are Most Likely

The FATF’s 5th Round assesses effectiveness against 11 Immediate Outcomes (IOs). Based on the UAE’s 2020 MER and subsequent reforms, the following IOs are likely to attract the greatest scrutiny in 2026:

● IO.4 – Financial institutions apply adequate AML/CFT preventive measures
● IO.3 – Supervisors appropriately supervise, monitor and regulate financial institutions and DNFBPs
● IO.6 – Financial intelligence is effectively used by competent authorities
● IO.7 – ML offences and activities are investigated and offenders prosecuted
● IO.11 – Proliferation financing is prevented and suppressed

For each IO, assessors will seek evidence of actual outcomes, not policies alone. Documentation, case examples, audit trails, and data will all be requested.

Sectors Under the Sharpest Scrutiny

Key Stats to Know

Certain sectors will face heightened examination based on the UAE’s risk profile as a major global financial and trading hub:

● Banks and financial institutions – transaction monitoring effectiveness, STR quality
● DNFBPs (real estate agents, lawyers, accountants, gold and precious metals dealers) – risk-based CDD, STR filing rates
● Virtual Asset Service Providers (VASPs) – Travel Rule compliance, licensing status
● Free Zone entities – beneficial ownership transparency, oversight adequacy
● Hawala and money service businesses – registration, monitoring, and reporting

The UAE Central Bank has already ramped up enforcement, issuing nearly AED 350 million in fines for AML and CTF breaches in recent months. Regulators are signalling clearly that the supervisory environment has changed.

Key Stats to Know

Metric	Figure
UAE grey list inclusion	March 2022
UAE grey list removal	February 2024
Federal Decree-Law No. 10/2025 effective date	14 October 2025
FATF 5th Round on-site visit (UAE)	June 2026
Central Bank AML fines (recent months)	~AED 350 million
UAE National AML/CFT Strategy period	2024–2027

How to Stay Compliant: A Practical Readiness Checklist

Institutions should use the months ahead to close gaps before assessors arrive. The following steps are non-negotiable:

● Conduct an internal gap analysis against FATF’s 40 Recommendations and the 11 IOs
● Update your Business Risk Assessment (BRA) to reflect the 2025 National Risk Assessment findings
● Review and stress-test your transaction monitoring rules for false negative rates and STR conversion quality
● Ensure beneficial ownership records are accurate, verified, and accessible in real time
● Document your risk-based approach to CDD with clear escalation procedures for high-risk customers
● Align policies with Federal Decree-Law No. 10/2025, particularly on proliferation financing and virtual assets
● Train staff across all levels, including front-line teams, on updated typologies and red flags
● Prepare an evidence pack for each IO your organisation is relevant to

Effective compliance monitoring software in Dubai is no longer a nice-to-have at this stage. It is the infrastructure that makes all of the above achievable, auditable, and demonstrable to assessors.

How to Stay Compliant: A Practical Readiness Checklist

Institutions should use the months ahead to close gaps before assessors arrive. The following steps are non-negotiable:

● Conduct an internal gap analysis against FATF’s 40 Recommendations and the 11 IOs
● Update your Business Risk Assessment (BRA) to reflect the 2025 National Risk Assessment findings
● Review and stress-test your transaction monitoring rules for false negative rates and STR conversion quality
● Ensure beneficial ownership records are accurate, verified, and accessible in real time
● Document your risk-based approach to CDD with clear escalation procedures for high-risk customers
● Align policies with Federal Decree-Law No. 10/2025, particularly on proliferation financing and virtual assets
● Train staff across all levels, including front-line teams, on updated typologies and red flags
● Prepare an evidence pack for each IO your organisation is relevant to

Effective compliance monitoring software in Dubai is no longer a nice-to-have at this stage. It is the infrastructure that makes all of the above achievable, auditable, and demonstrable to assessors.

The Role of Technology in FATF Readiness

Manual compliance processes will not meet the bar that 2026 assessors will set. Regulators want to see systems that generate reliable data, detect anomalies in real time, and produce audit-ready records at a moment’s notice.

This is where purpose-built compliance monitoring software in Dubai delivers a decisive advantage. From automated sanctions screening and risk-scored onboarding to real-time transaction monitoring and regulatory reporting, technology reduces human error, closes coverage gaps, and builds the evidentiary trail that assessors will look for.

How First Compliance Can Help

At First Compliance, we have built an all-in-one platform specifically designed for institutions operating in the UAE’s regulatory environment. Our modules cover every dimension of FATF readiness:

● Sanctions Screening – integrated with hundreds of global lists, updated in real time
● eKYC and Onboarding Due Diligence – risk-scored, automated, and fully documented
● Transaction Monitoring – AI-powered detection with customisable rule sets
● Regulatory Reporting – structured, accurate STR and CTR filing workflows
● Case Management – end-to-end audit trails for every compliance decision
● Risk Management – dynamic risk scoring aligned with a risk-based approach

As a leading provider of compliance monitoring software in Dubai, First Compliance gives your institution the tools, the data, and the documentation to face the 2026 Mutual Evaluation with confidence.

The Bottom Line

The UAE’s 2026 FATF Mutual Evaluation is not a formality. It is a high-stakes assessment of whether reforms have translated into real-world effectiveness. Institutions that start preparing now, with the right policies, the right training, and the right technology in place, will be far better positioned than those that wait.

The window to act is open. But it will not stay open for long.

Ready to strengthen your compliance framework ahead of the 2026 FATF evaluation?

Schedule a free demo with First Compliance today and see how our platform can close your gaps, automate your reporting, and give you the confidence to face regulatory scrutiny head-on.

Advanced Due Diligence in the Age of AI: A Strategic Workshop for Compliance Leaders

By First Compliance

Advanced Due Diligence in the Age of AI: A Strategic Workshop for Compliance Leaders

In response to the ongoing regulatory reporting and supervisory obligations currently impacting the Insurance sector, we are pleased to announce our highly anticipated invitation-only compliance workshop. This strategic adjustment ensures maximum participation and engagement from senior compliance leaders across the UAE’s Insurance and Real Estate sectors.

About the Workshop

Organised by DNY Communications in collaboration with First Compliance by Adil Zone, this exclusive workshop addresses one of the most critical challenges facing compliance professionals today: “Mastering Advanced Due Diligence in the Age of AI.“

As artificial intelligence continues to transform the compliance landscape, organizations must adapt their Enhanced Due Diligence (EDD) frameworks to leverage these powerful technologies while maintaining robust governance and risk management practices.

Why This Workshop Matters

The regulatory environment for Insurance and Real Estate sectors in the UAE is evolving rapidly. Compliance leaders face mounting pressure to:

Implement sophisticated risk-based approaches to customer due diligence
Navigate the complexities of AI-powered compliance tools
Balance innovation with regulatory requirements
Manage model risk in automated decision-making systems
Maintain effective governance frameworks in an AI-driven environment

This practitioner-led session has been specifically curated for Insurance and Real Estate Compliance Heads who are at the forefront of these challenges.

Workshop Focus Areas

Participants will gain practical insights into:

AI-Enhanced Due Diligence

Discover how artificial intelligence is reshaping Enhanced Due Diligence frameworks, from initial customer onboarding to ongoing monitoring and risk assessment.

Risk-Based Approaches

Learn advanced techniques for implementing proportionate, risk-based due diligence measures that satisfy regulatory requirements while optimizing operational efficiency.

Governance and Model Risk

Explore frameworks for governing AI systems in compliance operations, including model validation, bias detection, and accountability mechanisms.

Latest Tools and Techniques

Get hands-on exposure to cutting-edge technologies and methodologies that are transforming the compliance function.

Why Attend?

Exclusive Peer Network

Connect with a carefully selected group of no more than 35 senior compliance leaders from Insurance and Real Estate sectors, facilitating meaningful discussions and relationship building.

Practical, Not Theoretical

This is a practitioner-led session focused on real-world applications, case studies, and actionable strategies you can implement immediately.

Stay Ahead of the Curve

In a rapidly evolving regulatory and technological landscape, this workshop provides the knowledge and tools you need to maintain a competitive advantage.

Strategic Insights

Gain perspectives on how AI is not just changing compliance processes, but fundamentally reshaping risk management, customer relationships, and business models.

The First Compliance Advantage

As part of the Adil Zone ecosystem, First Compliance brings deep expertise in regulatory compliance, AML/CFT frameworks, and risk management to organizations across the UAE. Our commitment to “Total Compliance, Total Security” means we understand the unique challenges facing compliance professionals in regulated industries.

This workshop represents our dedication to:

Supporting the professional development of compliance leaders
Fostering knowledge sharing within the compliance community
Advancing best practices in due diligence and risk management
Helping organizations navigate the intersection of technology and regulation

How to Participate

Due to the exclusive nature of this event and limited capacity, attendance is by invitation only. If you are a senior compliance professional in the Insurance or Real Estate sector and would like to be considered for an invitation, please contact:

Email: debbie@dnycommunications.com
Subject: Workshop Invitation Request – January 28, 2026

Please include your name, organization, title, and a brief description of your compliance responsibilities.

Looking Forward

As we approach January 28, 2026, we are excited to bring together some of the most forward-thinking compliance leaders in the UAE for a morning of intensive learning, collaboration, and strategic thinking. The intersection of AI and due diligence represents one of the most significant developments in compliance management in recent years, and this workshop will equip you with the knowledge and tools to navigate this new landscape with confidence.

The regulatory environment will continue to evolve, technologies will advance, and expectations will rise. By investing in your professional development and staying connected with your peers, you position yourself and your organization for success in whatever challenges lie ahead.

Uncategorized

Why UAE Gaming Operators Need a Reliable AML Screening Solution in Dubai

Part 1: The UAE Gaming Market in Context

From Prohibition to a Federal Licensing Regime

Key Milestones

Part 2: The GCGRA's Structure and Mandate

The Four Categories of Regulated Gaming

Technical Standards

Operating Without a Licence

Part 3: GCGRA Licensing - Types, Eligibility, and Process

Who Must Apply?

Licence Types

Eligibility Requirements

The Six-Step Licensing Process

Documentation Checklist

Part 4: AML/CFT Compliance Under the GCGRA

Gaming Operators Are Now DNFBPs

The Legal Framework at a Glance

Core AML Obligations for Gaming Operators

Part 5: Why a Dedicated AML Screening Solution in Dubai Is Central to Gaming Compliance

What the Screening Solution Must Cover

Part 6: Responsible Gaming Obligations

Part 7: Cybersecurity and Technical Compliance

Part 8: Enforcement and Penalties

Part 9: The June 2026 Civil Code Reform

Part 10: Building Your Compliance Programme - A Practical Framework

Ready to Build Your GCGRA-Compliant AML Programme?

Professional Compliance Training in Dubai- Why Choose First Compliance?

What KHDA Approval Means for You

Training Built by Practitioners, for Practitioners

Where Automated Compliance Software Fits In

A KHDA-Approved Foundation for Compliance Training in Dubai

KHDA-Approved Training. Built for the Demands of Modern Compliance.

Virtual Assets and Crypto AML in UAE 2026: VARA, DFSA Updates, and Compliance Essentials for VASPs

Introduction

The UAE Regulatory Landscape for Virtual Assets in 2026

VARA Rulebook 2.0: What Changed in 2025 and Beyond

DFSA Updates: The New Crypto Token Suitability Framework

AML Obligations for VASPs Under UAE Federal Law

What VASPs Must Have in Place: A Practical Compliance Checklist

AML Screening and Sanctions Monitoring

On-Chain Transaction Monitoring

Risk Assessment Documentation

Case Management and Reporting

Why an AML Screening Solution in Dubai Matters for Crypto Compliance

Conclusion

CBUAE Inspections in the Insurance Sector: What to Expect, how to Respond, and Why Compliance Helps

Why CBUAE Inspections Are Important

Sanctions Compliance and Targeted Financial Sanctions: Getting It Right

What Is a Sanctions Compliance Programme?

Understanding Targeted Financial Sanctions

The End-to-End TFS Workflow

Step 1: Screening

Step 2: Alert Handling

Step 3: Escalation

Step 4: Regulatory Reporting

Step 5: Record Keeping and Ongoing Monitoring

Mapping Roles and Functions in the TFS Workflow

Training Needs Analysis and Approved Training Plan

The Full Inspection Lifecycle: Pre-Exit, Exit, and Post-Inspection

Before the Inspection

The Pre-Exit Meeting

The Exit Meeting

How to Write a Strong Post-Inspection Response

How First Compliance Supports Insurance Companies in the UAE

Frequently Asked Questions

What Is FATF? A Complete Guide for Businesses in the UAE and Kuwait

What Is FATF? A Complete Guide for Businesses in the UAE and Kuwait

What Does FATF Stand For?

When and Why Was FATF Created?

What Are the Three Pillars FATF Works On?

Where Is FATF Based and Who Are Its Members?

What Does FATF Actually Do?

FATF does four core things:

What Are the FATF 40 Recommendations?

What Is a Mutual Evaluation Report (MER)?

What Is the FATF Grey List?

Grey List vs Black List

Kuwait and the FATF Grey List: The Full Story

Kuwait's First Greylisting (2012 to 2015)