Federal Decree-Law No. 10 of 2025 on Anti-Money Laundering, and Combating the Financing of Terrorism and Proliferation Financing (the 2025 AML Law) repeals and replaces Federal Decree-Law No. 20 of 2018 (as amended). It came into force in mid-October 2025 and is expressly designed to strengthen the UAE’s AML/CFT/CPF framework and align it more closely with FATF standards.
Compared to the 2018 law, the 2025 AML Law:
- Broadens the scope of offences and regulated entities
- Introduces new criminal offences and lower evidentiary thresholds
- Significantly increases penalties and personal liability for management
- Enhances the powers of the Financial Intelligence Unit (FIU) and other authorities
- Embeds new compliance duties (including for virtual assets, NPOs and cross-border movements of value)
- Creates new governance and strategic structures for AML/CFT/CPF.
The sections below summarise what is new versus the previous regime and the practical implications for businesses and individuals.
1. Key Legal and Regulatory Changes
1.1 Expanded scope of offences and definitions
a. Proliferation financing and new title
The law’s title now explicitly covers “the Financing of Arms Proliferation”, signalling that proliferation financing (PF) is a standalone focus, not just part of generic “illegal organisations” as under the 2018 law. PF is now clearly treated as a predicate offence and a target of AML controls.
b. Wider predicate offences and digital crime
The definition of “crime/predicate offence” has been widened, including express reference in commentaries to tax evasion and digital/virtual-asset related conduct, which were not clearly articulated in the 2018 text. The law is framed to capture money laundering through digital systems and virtual assets, closing gaps around cyber-enabled and crypto-enabled laundering.
c. Virtual assets and new regulated actors
The 2025 AML Law now defines virtual assets and virtual asset service providers (VASPs) and brings them formally within the AML/CFT/CPF regime. VASPs must be licensed/registered and meet full CDD, monitoring and reporting requirements, on par with financial institutions. Non-compliance, including operating without a licence, is now a specific offence.
In addition, the law and accompanying commentary confirm the extended application of the regime to non-profit organisations (NPOs), reflecting FATF concerns around abuse of charities.
1.2 New criminal offences
Key new offences compared to the 2018 law include:
- Misuse of bank and VASP accounts: Knowingly allowing a third party to use one’s bank account or VASP account for illicit purposes is now a distinct offence, aimed at “money mule” and nominee account structures.
- Unlicensed VASP activity: Operating virtual asset services without proper authorisation now attracts imprisonment and substantial fines.
- Anonymity-enhancing products: Dealing in, or using, products and services that deliberately obfuscate ownership or transaction trails in virtual assets (e.g. mixers, certain privacy tools) is criminalised.
- False beneficial ownership information: Knowingly providing false or misleading information on ultimate beneficial owners (UBOs) is now expressly a criminal offence, upgrading what was previously largely an administrative breach.
1.3 Lower threshold for proving money laundering
A pivotal change relates to the mental element of money laundering and related offences. Under the 2018 law, prosecutors typically had to prove that the accused actually knew that funds were proceeds of crime.
The 2025 AML Law expressly allows knowledge to be inferred from circumstances, so that it is enough that the person “knew or should have known” based on objective indicators. Circumstantial evidence can now satisfy the knowledge requirement. This is a clear “shifting of burdens and accountability”: passive ignorance or “turning a blind eye” is much less defensible than under the old regime.
1.4 Increased penalties and corporate liability
Penalties have been materially strengthened:
- Penalties for Principal offences can now reach AED 100 million (doubling previous upper limits), or the value of the criminal property, whichever is higher in some cases.
- For other breaches, legal persons can still face multi-million-dirham fines, licence suspension or cancellation, activity bans, and even dissolution or closure of premises — sanctions now explicitly applicable beyond terrorism-financing cases.
Crucially, the new law deepens personal liability for senior management. Directors, managers and representatives can be criminally liable where offences occur with their knowledge, consent or connivance, or because of their gross negligence or failure to supervise. This is a more explicit and far-reaching formulation than under the 2018 law.
1.5 Enhanced powers of the FIU and law enforcement
The 2025 AML Law significantly upgrades the powers of the UAE Financial Intelligence Unit (FIU):
- The FIU Chief can suspend transactions for up to 10 working days and freeze assets for up to 30 days, extendable by the Public Prosecution, and without prior notice to the customer.
- The law clearly distinguishes between seizure (transfer of possession to authorities) and freezing (restriction on disposal), with longer timeframes than under the 2018 law.
- Law enforcement agencies and regulators obtain broader powers to request information, share intelligence domestically and cooperate internationally, including executing foreign provisional measures and confiscation orders even where there is no parallel UAE prosecution.
2. Practical Implications
2.1 For businesses and financial institutions
For banks, financial institutions and DNFBPs, the 2025 AML Law is not a cosmetic update; it is a compliance reset:
- Wider scope and licensing: Any business handling value transfers or virtual assets must ensure it is properly licensed and registered (including on goAML where applicable). VASPs and NPOs that previously operated on the edges of the regime are now clearly within it.
- Policy and risk-assessment updates: Internal policies, enterprise-wide risk assessments, and transaction-monitoring scenarios must be updated to reflect:
- Proliferation financing risks
- Tax evasion and complex structuring as predicate crimes
- Crypto-related typologies and anonymity tools
- Governance and “tone from the top”: Boards and senior management must be able to evidence active oversight of AML/CTF/CPF – e.g. regular AML reporting at board level, documented escalation of high-risk cases, and board-approved remediation plans. This is directly linked to their personal liability under the new law.
- Data retention and historic risk: With no limitation period, firms should assume that historic transactions may be scrutinised years later. This justifies extended record-retention periods and robust, searchable archiving of data and STRs.
- Operational readiness: Given the FIU’s strengthened powers, institutions must be able to respond quickly to urgent suspension/freezing orders and comprehensive information requests. Slow or incomplete responses themselves now carry higher risk.
In practice, many institutions will need to undertake a formal gap analysis against the 2025 law, revise their AML frameworks and provide targeted training, particularly for senior management, front-office staff, and those dealing with virtual assets, trade finance and cross-border flows.
2.2 For individuals and senior management
For individuals, especially those in leadership roles, the law has direct consequences:
- Personal accountability: Directors and managers can now be prosecuted where offences occur with their knowledge or because of their serious failures of oversight. Formal titles now carry explicit AML liability.
- Misuse of personal accounts: Allowing others to use personal bank or VASP accounts for their transactions, particularly where the circumstances are suspicious, can expose the account-holder to criminal charges. Individuals should not “lend” accounts or credentials.
- Crypto behaviour: Using unlicensed exchanges or anonymity-enhancing tools can amount to participation in unlawful activity under the new law. Retail users of virtual assets should ensure they transact only via properly regulated channels and maintain clear records of source of funds.
Professionals in DNFBPs (lawyers, accountants, real estate brokers, company service providers) are expected to lift their AML practices – including client screening, UBO verification, and timely suspicious activity reporting – or risk both regulatory and, in serious cases, criminal consequences.
Conclusion
Federal Decree-Law No. 10 of 2025 is a decisive strengthening of the UAE’s AML/CFT/CPF framework, not a routine update. It expands offences, lowers evidentiary thresholds, raises penalties, hard-wires virtual assets and proliferation financing into the regime and, critically, moves accountability firmly to the top of organisations.
For businesses, the key response is to treat AML/CTF/CPF as a strategic governance issue, not merely a compliance checklist:
- Ensure licensing coverage across all relevant entities and activities
- Refresh policies, risk assessments and monitoring tools for the new risks and definitions
- Strengthen board and management oversight and documentation
- Enhance training, especially on personal liability, virtual assets, sanctions and proliferation risk
In the short term, organisations should work within the existing executive regulations while anticipating new implementing regulations that will build on this law. In the medium term, those who move early to align with the 2025 AML Law will be better positioned for regulatory scrutiny, cross-border business, and a financial environment that increasingly rewards strong, demonstrable compliance.
Download the article here.