UAE Ministry of Economy AML Letter of Concern: What It Means for Your Business and How to Prevent It

UAE Ministry of Economy AML Letter of Concern: What It Means for Your Business and How to Prevent It

Across various sectors in the United Arab Emirates, the receipt of a “Letter of Concern” from the AML Authorities has made the rounds. As this is a novel phenomenon, we would like to share our insight into this in a bid to help you tackle this challenge confidently and fearlessly.

What Is a Letter of Concern?

A Letter of Concern is an official regulatory warning issued by the UAE Ministry of Economy and Tourism to businesses that have been deemed non-compliant with the country's Anti-Money Laundering and Combating the Financing of Terrorism (AML/CFT) framework. It is not a fine, but it is a precursor to one – if not tended to adequately. This is an indication that the Ministry has reviewed your business, found gaps, and is giving you the opportunity to remediate the gaps efficiently.

These letters are issued primarily to Designated Non-Financial Businesses and Professions (DNFBPs). You can have a look at our in-depth look at DNFBPs and covered activities here:https://www.linkedin.com/feed/update/urn:li:activity:7443216405476401152

Why Have Businesses Received This Letter?

Since the UAE was removed from the FATF grey list in 2024 following a period of intensive reforms, enforcement activity has increased significantly and the threshold for acceptable compliance has risen considerably.

The onset of the letter makes it clear that the authorities have conducted offsite reviews of businesses, based on various sources such as submissions. Some of the most common trigger for this letter could be the UAE Ministry of Economy's Risk Assessment Survey. This is a mandatory compliance questionnaire that the Ministry periodically requires all DNFBPs to complete. Once submitted, the Ministry reviews the answers alongside other data sources including third-party databases and previous inspection records. If the responses reveal weak controls, inconsistencies, or missing compliance infrastructure, the Ministry can escalate the case and issue a formal warning.

Framework used for the findings of the authorities

The contents of the Letter are based on the following Legal and Guidance References:

• Federal Decree-Law No. 10 of 2025 Regarding Anti-Money Laundering and Combating the Financing of Terrorism, and Proliferation Financing

• Cabinet Decision No. 134 of 2025 on the Executive Regulations of Federal Decree-Law No. 10 of 2025 Regarding Anti- Money Laundering and Combating the Financing of Terrorism, and Proliferation Financing

• Cabinet Resolution No. 71 of 2024 on Regulating Violations and Administrative Penalties Imposed on Violators of Anti-Money Laundering, Combating Terrorist Financing, and Proliferation Financing Procedures

• Cabinet Resolution No. 74 of 2020 Regulating the Terrorist Lists and Implementing the Security Counsel's Resolution Regarding the Prevention and Suppression of Terrorism and its financing and Proliferation of Armaments and the related resolutions

• Guidelines, controls, circulars, and other national-level guidance issued by the Ministry and the Executive Office for Control and Non-Proliferation (EOCN), as well as any other sector-specific national guidance relevant to given entity.

The Six Areas Where Businesses Most Commonly Fall Short

• Outdated or Missing Policies

Many businesses have AML policies that were written years ago and never updated to reflect changes in legislation. With the introduction of Federal Decree-Law No. 10 of 2025 and Cabinet Decision No. 134 of 2025, any policy that predates these instruments is effectively non-compliant. The absence of a policy entirely is something that most certainly needs to be addressed.

• Sanctions Screening Gaps

A significant number of DNFBPs are not subscribed to the EOCN notification system, meaning they receive no real-time alerts when sanctions lists are updated. Others are not screening their customers while some are screening at onboarding but not on an ongoing basis, which means a customer who becomes sanctioned after joining can continue to transact without detection. All the above failures carry serious legal exposure.

• Weak Customer Due Diligence

Applying the same level of scrutiny to every customer regardless of their risk profile is a red flag for regulators. Businesses that do not conduct risk-based assessments and fail to apply Enhanced Due Diligence to higher-risk clients are among the most cited in compliance deficiency communications.

• Lacking Reporting Procedures

Operating without goAML registration means a business has no legal mechanism to report suspicious activity, even if it identifies some. Regulators view this as a foundational failure. Without registration, a business cannot demonstrate any meaningful engagement with the UAE's financial intelligence infrastructure.

Similarly, many businesses have no documented process for what to do when a customer matches a sanctions list. Without a clear procedure for freezing funds, filing a Confirmed Name Match Report (CNMR) or filing a Partial Name Match Report (PNMR), businesses risk inadvertently facilitating sanctions evasion even without any intention to do so.

• Untrained Staff

Policies and procedures are only as effective as the people responsible for implementing them. Businesses that cannot produce training records, attendance logs, or materials demonstrating that staff have been educated on AML obligations (specifically on Targeted Financial Sanctions) are viewed by the Ministry as lacking a genuine compliance culture.

What Happens After a Letter of Concern Is Issued?

The letter sets some deadlines.

1. As soon as possible: A declaration letter, officially approved by the appropriate authority (senior management or shareholders), must be submitted on receipt of the letter. The letter shall include a commitment to implement the corrective measures within no more than one month from the date of receipt of the letter.

2. Within a month of receipt: Evidence confirming the completion of the remedial actions, along with verification that all required documents and control measures have been properly fulfilled and effectively implemented, must be provided to the Ministry of Economy and Tourism.

Failure to comply within the timeframe can trigger administrative sanctions under Cabinet Resolution No. 71 of 2024, which governs AML violations and penalties for DNFBPs. These can include financial penalties of up to AED 5 million per violation, temporary or permanent suspension of the trade license, public disclosure of the violation, and in serious cases referral to the Public Prosecution for criminal proceedings.

How to be better prepared for such a scenario in the future?

Treat all Assessments and Surveys as a Compliance Audit

Every question in the Ministry's survey corresponds to a real legal obligation. Before submitting, use the survey as a checklist and verify that your business can genuinely demonstrate compliance in each area rather than simply answering yes and hoping for the best. Similarly, if any gaps are identified, make an effort to bridge those gaps effectively, without delay.

Register on goAML Immediately

If your business is not yet registered on the goAML platform, this should be the first action taken. Registration is free, it is mandatory for all DNFBPs, and the absence of registration is one of the clearest signals to the Ministry that a business is not taking its obligations seriously.

Subscribe to EOCN Notifications

Subscribing to the EOCN notification system ensures your business receives real-time updates whenever the Targeted Financial Sanctions are updated. This is a simple, free step that directly addresses one of the most common deficiencies identified in Ministry reviews.

Review and Update Your AML Policy Annually

AML policies shouldn’t reflect a point in time in the firms journey, but it should adapt with the changing requirements. With new legislation introduced in 2025, any policy that has not been reviewed in the past twelve months is likely to be out of date. Policies should explicitly reference the current legal framework and include clear, practical procedures for every compliance obligation your business carries.

Build a Documented Screening Process

Sanctions screening should happen at onboarding and on a regular ongoing basis for all customers, beneficial owners, authorized signatories, and counterparties. The screening process should be documented every time it is performed, and the documentation should be retained and accessible for inspection.

Invest in Regular Staff Training

Training should not be a one-time event. All staff with any client-facing or transactional responsibility should receive AML and TFS training on a regular cycle, with induction training provided to new hires. Attendance records and training materials should be kept as evidence that training has actually taken place. If a certificate is issued by a recognized body of education, that’s even better.

Conduct Compliance Audits/Reviews

Before the Ministry reviews your business, review it yourself. Assign responsibility for a periodic independent internal audit that aims to analyze the framework and gaps of the firm. If constraints mean that an internal team member cannot provide independence, engage with a Third-Party firm to provide an unbiased view of the compliance framework, and put their findings to use by acting upon them.

Conclusion:

The UAE has invested considerable political and economic capital in building its reputation as a compliant, well-regulated financial center. The removal from the FATF Grey List in 2024 was the result of sweeping legislative reforms and intensified enforcement activity, and the country has made clear that this momentum will continue. For DNFBPs operating in the UAE, the compliance environment is more demanding than it has ever been, and the Ministry's decision to issue formal warnings and impose penalties reflects a regulatory posture that is firm.

A Letter of Concern is a warning that the system is working as intended. The most effective response to receiving one is to fix the gaps immediately. The most effective response to not yet having received one is to make sure you never do.