UAE · Regulatory Compliance

Regulatory Compliance in the UAE: Banking Regulation, AML/CFT & Digital Identity

The UAE’s regulatory framework is one of the most demanding in the world. Navigate banking compliance requirements, AML/CFT obligations under Federal Decree-Law No. (10) of 2025, and the 31 March 2026 authentication mandate — before the financial exposure becomes unmanageable.

Built on 20 years of European regulatory expertise.
Compliant with GDPR and ISO 27001.

Request your free compliance audit

We detect your location:

We see that you're in United States

Not your country?

Clientes que confían en nosotros

Certificaciones y estándares internacionales

Regulatory context

Why banking compliance now defines market structure in the UAE

Compliance has become one of the main forces that determine who can operate, grow and compete in the UAE financial sector. The UAE’s regulatory framework is built on a model of one country, multiple regulators, and distinct legal free zones.

Primary AML/CFT legal framework

Federal Decree-Law No. (10) of 2025 on AML, CFT and Combating the Financing of the Proliferation of Weapons of Mass Destruction — the main AML/CFT law in force.
Cabinet Resolution No. (134) of 2025 — Executive Regulations: CDD/EDD, beneficial ownership, PEPs, wire transfers, record-keeping (min. 5 years) and group AML programmes.
Federal Decree-Law No. (6) of 2025 — Primary Banking Law. Codifies the Digital Dirham as legal tender.

Regulatory bodies

CBUAE: Primary onshore regulator for banks, finance companies, exchange houses and payment institutions.
SCA: Securities markets, public offerings, funds and certain virtual-asset activities.
DFSA (DIFC): Independent regulator for DIFC free zone, common-law style regime.
FSRA (ADGM): Supervises ADGM; pioneering Virtual Asset Framework.
VARA: Regulates virtual asset activities in Dubai (excluding DIFC).

Digital identity & authentication

Federal Decree-Law No. (30) of 2024 — mandatory National KYC Digital Platform.
CBUAE Notice 2025/3057 — phase-out of SMS and email OTPs by 31 March 2026.
Identity defined by biometrics with liveness checks, verified data from official sources, and device, IP and behavioural signatures.
AI models affecting AML, fraud or credit decisions must be inventoried, documented, validated and explainable.

UAE & GCC Regulatory Compliance Framework Guide 2026

Federal Decree-Law 10/2025 · Cabinet Resolution 134/2025 · CBUAE Notice 2025/3057

Critical regulatory milestones & penalties

UAE compliance calendar 2025–2026

The CBUAE structured the OTP elimination in two enforcement waves. The financial exposure did not wait for March 2026 — it started in July 2025.

31 March 2026 — hard deadline, no extensions announced. CBUAE Notice 2025/3057 is firm. The regulator has confirmed no grace periods. Administrative penalties of up to AED 250,000 apply for significant violations from this date.

October 2025

In force

Federal Decree-Law No. (10) of 2025 issued — updates 2018 AML law. Defines ML/TF offences, duties of Financial Institutions and DNFBPs, and powers of FIU and Central Bank.

2025

Active

Cabinet Resolution No. (134) of 2025 — new operational baseline for CDD, EDD, beneficial ownership, PEPs, wire transfers and record-keeping (min. 5 years).

July 2025

Fraud liability shift - active now

Banks fully liable to refund 100% of any 3DS fraud involving SMS OTP. Every fraudulent transaction is a direct financial loss for the institution — regardless of customer negligence.

31 March 2026

Hard deadline

Complete elimination of SMS and email OTPs. Administrative penalties up to AED 250,000 for significant violations. CBUAE conducts formal reviews every 6 months.

Penalties and sanctions summary

Type of penalty	Amount / Impact	In effect from
3DS fraud reimbursement via SMS OTP	100% of each fraudulent transaction	July 2025
Administrative fine for significant non-compliance	Up to AED 250,000 (~USD 68,000)	31 March 2026
Operating licence sanctions	Restriction or revocation after regulatory review	After regulatory review
Elevation of regulatory risk profile	Impact on CBUAE dashboard rating and audits	Immediate upon non-compliance
AML violations (CB Law 2025)	Up to AED 100 Million	In force

Reference: in March 2025 the CBUAE imposed total sanctions of AED 2,621,000 on five banks and two insurers for CRS/FATCA violations, demonstrating active enforcement willingness.

Is your institution ready for the 31 March 2026 OTP mandate?

Free 15-minute compliance diagnostic with our UAE specialists.

AML, authentication & digital identity

UAE regulatory compliance requirements: AML, authentication & digital identity checklist

Compliance Officers and CISOs preparing for CBUAE inspections must validate these blocks. Content based on Federal Decree-Law No. (10) of 2025, Cabinet Resolution No. (134) of 2025, CBUAE Notice 2025/3057 and CBUAE guidance.

CDD and EDD procedures

Enterprise-wide ML/TF risk assessment aligned with Federal Decree-Law 10/2025
Risk-based CDD including robust beneficial ownership verification
Enhanced Due Diligence (EDD) for PEPs and high-risk customers
Identification of beneficial owners of legal persons (threshold per Cabinet Resolution 134/2025)
Application of new requirements to existing customers on a risk basis
Record-keeping for at least five years after end of relationship or transaction

Transaction monitoring & STRs

Ongoing transaction monitoring of business relationships
Dynamic, behaviour-sensitive monitoring — not just static thresholds
Detection of Trade-Based Money Laundering (TBML) patterns
Monitoring of Wages Protection System (WPS) salary transfers
Timely and well-substantiated Suspicious Transaction Reports to the FIU
Case management system generating clear investigation narratives for STRs

Sanctions & PEP screening

Targeted financial sanctions screening at onboarding and transaction level
PEP screening including Arabic name resolution and alias matching
Wire transfer information: originator and beneficiary data per FATF Recommendation 16
Cross-border corridor monitoring given ML/TF and fraud vulnerability
Group-wide AML programme covering branches and subsidiaries abroad

OTP phase-out — 31 March 2026

Full phase-out of SMS and email OTPs per CBUAE Notice 2025/3057
Phishing-resistant MFA operational: biometric factors (face, fingerprint or voice), passkeys/FIDO2
Adaptive risk-based authentication framework in place
3DS fraud liability review: banks fully liable for SMS OTP fraud since July 2025
Exception documented for customers refusing mobile apps (written request + liability transfer)
Testing and validation of biometric authentication completed

Digital onboarding & KYC (Law 30/2024)

Compliance with mandatory National KYC Digital Platform (Federal Decree-Law 30/2024)
Biometric verification with liveness detection for onboarding
Injection attack protection against deepfake video or image feeds
One-to-N biometric matching to detect same person opening multiple accounts
Synthetic identity and New Account Fraud (NAF) detection before onboarding completes
Full audit trail of all verification steps

Governance, AI & data

Board-level AML/CFT oversight with independent risk and compliance functions
AI models affecting AML, fraud or credit decisions inventoried, documented and explainable
Model validation and back-testing cycles defined and followed
Data lineage, quality controls and governance for all compliance datasets
Mule account detection and network analysis for systemic account abuse
VARA/FSRA crypto custody and cyber-security controls (where applicable)

Facephi solutions for UAE

Compliance-specialised solutions for high-risk environments

Facephi’s 360-degree financial crime technology stack is built to help UAE financial institutions meet both today’s strict legal requirements and the 2026–2030 regulatory horizon.

AML/CFT supervision priorities

Central Bank AML/CFT supervision
Wages Protection System (WPS) monitoring
Trade-Based Money Laundering (TBML) detection
Dual Islamic/commercial banking models
Data residency and cybersecurity requirements

Compliance solutions

WPS salary transfer verification
Network analysis for mule account detection
Arabic PEP screening and alias resolution
TBML transactional pattern detection
On-premise deployment options

360° technology stack

Identity fraud and onboarding integrity: biometrics, liveness, injection attack protection
OTP replacement: phishing-resistant biometric MFA, passkeys/FIDO2, risk-based authentication
Behavioral intelligence and ATO prevention
AML, mule detection and networked defense

How Facephi helps each team

CISO / Fraud / Risk

Helps reduce fraud exposure: replace OTP with modern authentication and session compromise controls.

Includes liveness, passkeys/FIDO2, real-time analytics and deepfake/video injection detection.

Compliance / Regulatory

Helps align with CBUAE Notice 2025/3057: eliminate SMS/email OTP before 31 March 2026

Helps minimise regulatory risk and financial exposure derived from OTP-based authentication.

Digital / CX / Product

Less friction than OTP, more trust: biometrics and adaptive risk-based authentication

Helps improve the experience/security balance without depending on SMS or email.

C-Level / Business

Helps meet the deadline and turn security into a competitive differentiator in UAE

Unifies compliance, fraud reduction and competitive positioning.

Explore Compliance Solutions for UAE

Contact our UAE specialist team for a tailored assessment.

Explore solutions

Market context

The UAE: regulatory anchor of the GCC

One country, multiple regulators: CBUAE, SCA, DFSA (DIFC), FSRA (ADGM) and VARA — each with its own rulebook. Jurisdiction choice is a strategic compliance decision.
FATF grey-list exit drove marked increase in enforcement. Inspections, enforcement actions and remediation programmes intensified from 2022–2024. Institutions that treat AML, sanctions and mis-selling as soft issues face serious remediation programmes and fines.
Maximum fines raised significantly: AED 1 Billion under CB Law 2025, AED 100 Million for AML violations, AED 250,000 for significant OTP non-compliance. Compliance is now a hard financial risk, not just reputational.
Digital fraud complaints grew 73% year-on-year in early 2025, creating strong regulatory and political pressure to enforce the authentication mandate strictly.
2026–2030 horizon: Continuous supervision powered by transaction-level feeds, supervisor APIs, AI models treated as regulated components, and biometric/digital-ID standards. In January 2026 the CBUAE launched a biometric payment pilot with PopID and Network International at the Dubai Land Department — signalling the direction of travel.

Frequently asked questions

FAQ: Regulatory Compliance in the UAE

Answers to the most common questions from Compliance Officers in the UAE about AML compliance, CBUAE requirements and the 31 March 2026 mandate.

UAE banks must comply with Federal Decree-Law No. (10) of 2025 and Cabinet Resolution No. (134) of 2025. Core requirements include: enterprise-wide ML/TF risk assessments, risk-based CDD and EDD including beneficial ownership verification, ongoing transaction monitoring and sanctions screening, and timely Suspicious Transaction Reports to the FIU. Maximum fines increased to AED 1 Billion under CB Law 2025 and AED 100 Million for AML violations.

CBUAE Notice 2025/3057 requires the complete phase-out of SMS and email one-time passwords (OTPs) by 31 March 2026. The mandate was structured in two enforcement phases: from July 2025, banks became fully liable to refund any 3DS fraud involving SMS OTP; from 31 March 2026, SMS and email OTPs must be fully eliminated with administrative penalties of up to AED 250,000 for significant violations. There are no announced extensions or grace periods. A limited exception exists for customers who refuse mobile apps, provided the bank obtains a written request and fraud liability is explicitly transferred to the customer.

Non-compliance operates at two levels. First, since July 2025, banks are fully liable to refund 100% of any 3DS fraud occurring while SMS OTP is still in use. Second, from 31 March 2026, administrative penalties of up to AED 250,000 (~68,000 USD) apply for significant violations. The CBUAE also conducts formal reviews every six months. Beyond direct fines, non-compliance can result in elevation of the institution’s risk profile in CBUAE dashboards, impact on operating licence, and reputational damage in a market where digital fraud complaints grew 73% in 2025.

CBUAE Notice 2025/3057 opens the door to more advanced authentication models including: biometric authentication with liveness detection, passkeys and FIDO2 standards, and adaptive risk-based authentication frameworks. Real-time fraud prevention including deepfake detection and video injection attack prevention are also part of the modern authentication stack expected by the CBUAE. The regulation explicitly requires phishing-resistant methods that cannot be intercepted like SMS OTPs.

The CBUAE has been unequivocal: the 31 March 2026 deadline is firm, with no extensions and no exceptions publicly announced. The regulator demonstrated its willingness to act in March 2025, when it imposed AED 2,621,000 in sanctions on five banks and two insurers for CRS/FATCA violations. The liability shift for 3DS fraud has been in effect since July 2025, meaning non-compliant banks are already absorbing direct financial losses.

From July 2025, banks became fully responsible for reimbursing any 3D Secure fraud that occurs while they are still using SMS OTP authentication. This converts every fraudulent transaction into a direct financial loss for the institution, regardless of whether the customer acted with negligence. The financial exposure from non-compliance began in July 2025, months before the full OTP ban of 31 March 2026.

Federal Decree-Law No. (10) of 2025 defines money-laundering, terrorism-financing and financing of illegal organisations. It specifies duties for Financial Institutions and DNFBPs, sets powers of competent authorities including the FIU and Central Bank, and requires risk-based CDD/EDD, beneficial ownership identification, wire transfer information, record-keeping for at least five years, and group-wide AML programmes.

Cabinet Resolution No. (134) of 2025 is the Executive Regulations of Federal Decree-Law No. (10) of 2025. It operationalises the Decree-Law by spelling out risk-based CDD and EDD requirements, procedures to identify and verify Beneficial Owners and treat PEPs, information that must accompany wire transfers in line with FATF Recommendation 16, record-keeping obligations for at least five years, and group-wide AML programmes covering branches and subsidiaries abroad.

Federal Decree-Law No. (30) of 2024 established the mandatory National KYC Digital Platform in the UAE. Financial service providers must be able to prove that the person claiming to be a customer is, in reality, that person, using biometrics with liveness checks, advanced injection attack protection, and verified data from official sources. Identity is defined not just by documents but also by device, IP and behavioural signatures.

The UAE has a multi-regulator model. CBUAE is the primary onshore regulator for banks, finance companies, exchange houses and payment institutions. SCA regulates securities markets and certain virtual-asset activities. DFSA supervises entities in DIFC. FSRA supervises entities in ADGM. VARA regulates virtual asset activities in Dubai (excluding DIFC). All translate Federal Decree-Law 10/2025 and Cabinet Resolution 134/2025 into sector-specific requirements.

Under Cabinet Resolution No. (134) of 2025, financial institutions must maintain records for at least five years after the end of a relationship or transaction. This applies to CDD/EDD documentation, transaction records, and Suspicious Transaction Reports submitted to the FIU.

Trade-Based Money Laundering (TBML) is the use of international trade transactions to disguise the proceeds of crime and move value across borders. It is a priority risk in the UAE given its position as a major global trade and re-export hub. Institutions must implement transaction monitoring capable of detecting TBML patterns and possible trade finance breaches.

Is your institution ready for the 31 March 2026 deadline?

Request a free UAE AML compliance diagnostic — 15 minutes with our specialists.