UAE Post-Grey List: Two New Laws Reshape AML Obligations

In February 2024, the United Arab Emirates was removed from the Financial Action Task Force Grey List-a significant moment for the country’s financial system. Seven months later, in July 2025, the EU removed the UAE from its high-risk jurisdiction list. But the UAE is not resting on this achievement. Instead, two federal decrees enacted in September and October 2025 dramatically expand the country’s AML framework, tightening obligations on banks, fintechs, and virtual asset service providers.

For compliance officers managing UAE exposure, these new laws represent material shifts in the regulatory perimeter and evidentiary standards institutions must meet. The first law consolidates and extends Central Bank enforcement authority. The second introduces a lower burden of proof for AML violations, adds non-profits and virtual asset providers to covered entities, and requires institutions to trace beneficial ownership through indirect control chains. Financial institutions that calibrated compliance posture to the 2024 grey list exit may find themselves underinvested in what these laws now demand.

Why the UAE Was on the FATF Grey List and What Changed

The FATF placed the UAE on the Grey List in 2020 due to gaps in its AML and counter-terrorism financing framework. Core risks were structural: complex ownership structures obscuring ultimate beneficial owners, high cash transaction volumes from migrant worker remittances and informal money services, and substantial inflows of high-net-worth individuals and politically exposed persons.

Between 2020 and 2024, the UAE enacted regulatory reforms. The Central Bank of the UAE (CBUAE) strengthened KYC standards, introduced AML/CTF licensing requirements, and enhanced sanctions screening. Financial institutions adapted, deepening beneficial ownership verification and expanding transaction monitoring. By early 2024, the FATF determined these measures closed the deficiencies.

But regulatory evolution continued. The UAE’s underlying risk profile-high cash velocity, large PEP populations, growing fintech and cryptocurrency adoption-remains. The two new federal decrees suggest the CBUAE intends to embed compliance gains into law and extend them into sectors previously outside the regulatory perimeter.

Federal Decree Laws No. 6 and No. 10: Authority, DeFi, and Beneficial Ownership

Federal Decree Law No. 6 of 2025 took effect on September 16, 2025, consolidating prior AML/CTF regulations into a single statutory framework and granting the CBUAE significantly expanded enforcement and penalty powers. For the first time in UAE law, DeFi platforms, protocols, and infrastructure that facilitate financial services are now explicitly covered entities. Virtual asset service providers had already been brought into the regulatory perimeter, but the law now extends coverage to the technological infrastructure supporting DeFi operations. Custodians, liquidity providers, and staking service providers-entities that previously operated in a gray zone-must now comply with CBUAE AML/CTF standards. Newly covered entities have until September 16, 2026 to achieve full compliance.

Federal Decree Law No. 10 of 2025 became effective on October 14, 2025 and introduces material changes to AML obligations. The law expands the definition of beneficial ownership to include indirect control chains. Previous regulations required institutions to identify the individual who ultimately owns or controls an entity. Law No. 10 explicitly extends this to persons who exercise control through layers of intermediaries, shell companies, or other structures designed to obscure the chain. Compliance teams now face the obligation to trace through multi-level ownership structures across multiple jurisdictions.

Law No. 10 also introduces a lower evidentiary threshold for AML violations, replacing the standard of actual knowledge with a “knew or should have known” standard. An institution is potentially liable if it had sufficient or circumstantial evidence suggesting illegal activity, whether or not it actively knew of the violation. This shifts liability from intent-based prosecution to negligence-based liability. Additionally, the law introduces proliferation financing criminalization, specifically targeting the financing of weapons of mass destruction and dual-use items. This extends AML obligations beyond traditional money laundering and sanctions evasion to include screening for transactions with proliferation risk. Institutions must review trade transactions, supplier networks, and end-use documentation with attention to WMD and strategic goods. Together, these provisions materially broaden the scope of what compliance programs must monitor.

What These Changes Require from Compliance Programs Serving the UAE

For financial institutions and fintechs with UAE operations or clients, four immediate steps follow.

First, conduct a gap analysis against the beneficial ownership definition in Law No. 10. Current KYC procedures likely stop at the first layer of identified owners. The new standard requires mapping indirect control. A beneficial ownership network approach-mapping ownership chains across jurisdictions and identifying controlling shareholders through multiple layers-is now a compliance necessity.

Second, integrate trade finance and transaction-level data into transaction monitoring. The proliferation financing offense requires institutions to screen shipments, suppliers, and end-use declarations against strategic goods lists. A bank processing a letter of credit for dual-use equipment shipment now faces the obligation to evaluate end-use and destination against proliferation risk.

Third, lower the threshold for escalation and investigation in transaction monitoring. The “knew or should have known” standard means that circumstantial evidence of illicit activity can trigger liability. A transaction with a PEP lacking clear beneficial ownership documentation, or a trade transaction with ambiguous end-use, may warrant investigation even absent definitive red flags.

Fourth, extend AML program coverage to virtual asset service providers and non-profits if those entities are clients or counterparties. These entities now have their own AML obligations, and covered entities must screen counterparties against these populations with the same rigor applied to other client types.

Moving Forward

The UAE’s post-grey list era is one of regulatory deepening, not complacency. Laws No. 6 and No. 10 represent a deliberate choice by the CBUAE to embed and extend the AML framework that led to grey list removal. Financial institutions that treated the 2024 delisting as a compliance plateau will find that these laws require recalibration.

For compliance teams managing UAE exposure, this means moving beyond isolated beneficial owner identification to mapping entire control chains, integrating trade intelligence, and screening across virtual asset and nonprofit sectors. If you’re operating in the UAE or serving UAE-based clients, assess whether your beneficial ownership and transaction monitoring frameworks reflect the requirements embedded in Laws No. 6 and No. 10. Request a demo to see how Sayari’s ownership network and trade data support post-Law 10 compliance.

Learn more about Sayari’s financial crime use case or explore how our platform identifies hidden ownership and trade-based money laundering risks.