What this guide covers
- The Legal Framework: Cabinet Decision 109/2023 and Its Statutory Context
- Applying the 25% Test: Shareholding, Control, and the Real-Beneficiary Concept
- Real-Beneficiary Registers: Content, Maintenance, and the Central MoE Register
- Complex Holding and Free-Zone Structures: Practical Stress-Testing
- Penalties and Enforcement: The Post-January 2024 Escalation
- Nominee Arrangements, Trusts, and the Sanctions Overlay
- Building a Defensible Compliance Programme: Practical Steps for Groups and GCs
- Practical checklist
- What we'd typically advise
- Frequently asked questions
Cabinet Decision 109/2023 overhauled the UAE's beneficial ownership framework, tightening the 25% threshold test and imposing enforceable register obligations on mainland and most free-zone entities. Since January 2024, regulators have escalated penalties against non-compliant holding chains and nominee arrangements.
The Legal Framework: Cabinet Decision 109/2023 and Its Statutory Context
Cabinet Decision 109/2023 (CD 109) is the primary instrument governing beneficial ownership (BO) disclosure obligations for UAE legal persons and arrangements. It replaced Cabinet Decision 58/2020 and introduced a materially revised definition of the ultimate beneficial owner (UBO): any natural person who, directly or indirectly, owns or controls a legal person through ownership of 25% or more of the shares or voting rights, or who otherwise exercises effective control through any other means. The 25% threshold is now the single bright-line test applicable across mainland, free-zone (with limited exceptions for ADGM and DIFC-regulated entities), and branch structures. Critically, CD 109 captures both formal ownership and substantive control—meaning a person who has the power to appoint or remove the majority of the board, or who otherwise directs the legal person's affairs, is captured even if their direct shareholding falls below 25%.
CD 109 operates within a broader AML/CFT statutory architecture. Federal Decree-Law 10/2025 (in force 14 October 2025), which repealed Federal Decree-Law 20/2018, elevates BO failures to predicate offences capable of grounding money laundering liability. Under Article 2 of FDL 10/2025, the offence of money laundering extends to proceeds generated from, among others, tax evasion and proliferation financing—both newly added predicates—meaning that opaque BO structures used to conceal taxable income or facilitate sanctions evasion carry compounded criminal exposure. Cabinet Resolution 134/2025 (the executive regulations to FDL 10/2025, in force 14 December 2025) reinforces the obligation on designated non-financial businesses and professions (DNFBPs) and financial institutions to verify and record UBO information independently of the registrant's self-declaration.
The Federal Decree-Law 31/2021 Penal Code (in force 2 January 2022, as amended by FDL 36/2022) provides the criminal backdrop: wilful submission of false BO information to a regulator may constitute the offence of forgery (Articles 251–258) or fraud (Article 399), each carrying custodial sentences. The Criminal Procedure Law—Federal Decree-Law 38/2022 (in force 1 March 2023, as amended by FDL 45/2023)—governs the investigative and prosecutorial process, including the ability of public prosecutors to freeze assets and compel document production from corporate registrars without prior notice to the subject entity.
For entities licensed by the Central Bank of the UAE, Law No. 6/2025 (the CBUAE Law) grants the Central Bank supervisory authority over BO compliance with administrative fines reaching AED 1 billion per violation. Financial institutions should treat CD 109 obligations as parallel to, and not substitutable for, their CBUAE-mandated customer due diligence frameworks under Cabinet Resolution 134/2025.
Applying the 25% Test: Shareholding, Control, and the Real-Beneficiary Concept
The 25% ownership threshold under CD 109 is assessed on an aggregated, look-through basis. Where a natural person holds 15% directly and a further 12% through a wholly-owned intermediate holding company, the aggregate exceeds 25% and registration as a UBO is mandatory regardless of the intermediate entity's jurisdiction of incorporation. This look-through obligation is explicit in CD 109 and mirrors the FATF Recommendation 24 standard. Practitioners must resist the common client misconception that inserting a Cayman, BVI, or offshore holding layer between the natural person and the UAE entity extinguishes the BO obligation—it does not; it merely creates an additional disclosure layer and, if deliberately used to conceal, aggravates criminal exposure under FDL 10/2025.
CD 109 identifies three independent limbs through which a natural person becomes a UBO: (i) ownership of 25% or more of shares or voting rights; (ii) the right to appoint or remove the majority of the board of managers or directors; and (iii) actual or effective control by any other means, including through contractual arrangements, trusts, or nominee relationships. Limb (iii) is the most consequential in practice. A side-letter granting one shareholder a unilateral veto over all material decisions, or a trust deed under which a settlor retains the power to revoke and receive trust assets, will each bring the relevant natural person within scope regardless of their nominal shareholding. Nominee directors or shareholders are explicitly addressed: the nominee must disclose the identity of the real beneficiary, and the entity must record both the nominee's details and the underlying principal's details in the BO register.
Where no natural person meets any of the three limbs—genuinely rare in practice but theoretically possible in widely dispersed public companies—CD 109 requires the entity to record the senior managing official (typically the CEO or Managing Director) as the registrant UBO. This is a default position only and does not displace the look-through obligation where control is merely obscured rather than genuinely absent. Regulators have been alert to entities claiming the senior-official default to avoid disclosing a controlling family shareholder whose interests are held through multi-tier structures.
Free-zone entities present particular complexity. ADGM and DIFC entities that are subject to those centres' own BO regimes (the ADGM BO Regulations and DIFC Companies Law respectively) may rely on those parallel regimes to satisfy equivalent obligations, but they remain subject to CD 109's notification obligations to the Ministry of Economy (MoE) central register. Entities in other free zones—JAFZA, DMCC, RAKEZ, and others—are directly within the CD 109 scope without any parallel-regime carve-out, and their authorities have received delegated enforcement mandates from the MoE.
Real-Beneficiary Registers: Content, Maintenance, and the Central MoE Register
CD 109 requires every in-scope legal person to maintain two distinct internal registers: the Partners/Shareholders Register and the Real Beneficiaries Register (the BO Register). The BO Register must be held at the entity's registered address in the UAE and made available for inspection by competent authorities on demand without prior notice. The minimum prescribed content for each UBO entry is: (i) full legal name and nationality; (ii) date of birth; (iii) place of birth; (iv) country of residence; (v) passport or national ID number and expiry date; (vi) the basis on which the person qualifies as a UBO (the relevant limb under CD 109); (vii) the date on which the person became, and if applicable ceased to be, a UBO; and (viii) the date on which the entry was recorded or updated.
Critically, CD 109 imposes a continuous update obligation: any change in BO information must be notified to the relevant licensing authority and reflected in the internal register within 15 days of the change occurring. This is not a periodic filing—it is a real-time obligation triggered by any event that alters ownership or control, including share transfers, board composition changes, trust deed amendments, or death of a recorded UBO. In holding structures where a UAE subsidiary is several tiers below the ultimate parent, the subsidiary's compliance team is responsible for tracking upstream changes—which in practice requires either a mandated reporting obligation in the group's governance framework or a standing instruction from the parent to notify relevant subsidiaries.
In addition to internal registers, CD 109 created the MoE Central Beneficial Ownership Register, a non-public registry accessible only to competent authorities (including the Financial Intelligence Unit, public prosecutors, and CBUAE supervisors). Licensed entities submit their BO data directly to the MoE's digital portal. Discrepancies between the internal register and MoE portal data are a primary trigger for regulatory investigation—the Central Bank and free-zone authorities conduct periodic data-matching exercises to identify divergences. Financial institutions performing customer due diligence under Cabinet Resolution 134/2025 may request a certified extract of a counterparty's BO register; refusal to provide one within a reasonable timeframe is itself a red flag under the AML/CFT framework.
Entities in structures involving trusts or foundations face additional complexity. A UAE-registered foundation (governed by Cabinet Decision 122/2020 for onshore foundations or the ADGM and DIFC foundation frameworks) that controls a UAE operating company must disclose the foundation's UBOs at the operating company level. If the foundation's charter grants the founder or a protector control rights falling within CD 109's limb (iii), those individuals must be recorded as UBOs of the operating company—not merely as foundation officials. Trustees of foreign law trusts holding UAE entities are expected to provide equivalent disclosure to their UAE entity's licensing authority, consistent with FATF Recommendation 25 standards incorporated into Cabinet Resolution 134/2025.
Complex Holding and Free-Zone Structures: Practical Stress-Testing
The most frequent compliance failures since January 2024 have arisen in three structural archetypes. The first is the offshore topco with UAE subsidiaries: a BVI or Cayman holding company owns 100% of a DMCC or JAFZA entity. The UAE subsidiary's licensing authority expects BO disclosure that looks through the offshore topco to the natural persons who own or control it. Where the offshore topco is itself held by a Cayman unit trust whose beneficial interest is spread across family members, the entity must identify each family member holding 25% or more of the units—or, if none individually reaches 25%, must apply the control limb to identify who directs the trust. Offshore counsel opinions that a trust has no 'beneficial owners' in the civil law sense are not accepted by UAE authorities.
The second archetype is the multi-family UAE holding group in which several UAE national families collectively own a mainland LLC or a free-zone holding company. Where each family's aggregate shareholding (held across multiple individual and corporate vehicles) exceeds 25%, each family must be disaggregated to its natural-person UBOs. A common error is treating the family patriarch as the sole UBO where adult children hold registered shares—if any child holds or controls 25% or more through their own vehicles, they are independent UBOs. The 15-day update obligation is operationally demanding in these structures because intrafamily transfers are rarely tracked with the same rigour as third-party transactions.
The third archetype is the SPV chain used for real estate or private equity investment. A UAE LLC holds a single real estate asset; above it sit two or three intermediate holding companies incorporated in different jurisdictions; above those sits a discretionary trust. The LLC's licensing authority requires the SPV to identify UBOs as if the entire chain were transparent. If the trust is discretionary and no beneficiary has a vested interest exceeding 25%, the entity must apply the control test to the trustee and settlor. If the settlor retains a power of revocation or a letter of wishes granting effective control, the settlor is the UBO. This analysis must be refreshed whenever the trust deed is amended or trustee succession occurs—a change that frequently goes unreported because it occurs at the topco level and those responsible do not appreciate its downstream UAE compliance consequence.
For DIFC and ADGM entities, the parallel regime point requires precise analysis. DIFC entities incorporated under the DIFC Companies Law (DIFC Law No. 5 of 2018, as amended) maintain their own BO register with the DIFC Registrar of Companies. ADGM entities similarly register under the ADGM Companies Regulations 2020. Both centres have agreed data-sharing arrangements with the MoE, but this does not mean that an entity in those centres is exempt from ensuring its BO data is accurate and current under CD 109—the data-sharing mechanism is designed to prevent duplicate registration, not to reduce the substantive disclosure obligation. Entities that are not regulated by the DFSA or FSRA but are merely incorporated in DIFC or ADGM (so-called 'non-regulated entities') remain fully within CD 109 scope without any regulatory-status carve-out.
Penalties and Enforcement: The Post-January 2024 Escalation
The enforcement landscape changed materially from January 2024. The MoE and free-zone authorities moved from a predominantly notification-and-cure model to one involving immediate administrative penalties for initial non-compliance and escalating sanctions for persistent or deliberate failures. Under CD 109, administrative penalties for non-compliance include fines, suspension of the entity's trade licence, and in aggravated cases referral to the public prosecutor. The specific penalty schedule under CD 109 provides fines that range from AED 100,000 for failure to maintain accurate registers up to AED 1,000,000 for wilful concealment or submission of false information. These are per-violation figures; regulators have assessed multiple violations in a single audit cycle where different registers are deficient in different respects.
Under FDL 10/2025, BO non-compliance that is causally connected to a money laundering or terrorism financing offence is not merely an administrative matter—it becomes a component of the criminal charge. Personal liability is expressly extended to managers, directors, and senior officers who knew of the BO failure or who failed to take reasonable steps to ensure compliance. This codifies what was previously a more contested prosecutorial argument: that a CEO who signed off on a structure knowing that it concealed a true UBO could face personal criminal liability distinct from the corporate entity's liability. The maximum fine for a legal person under FDL 10/2025 is AED 100 million; there is no statute of limitations for money laundering offences under that law.
The Central Bank, exercising its powers under CBUAE Law No. 6/2025, has authority to impose administrative fines of up to AED 1 billion on regulated financial institutions that fail to conduct adequate UBO due diligence on their customers. This is relevant not only for the financial institution itself but also for the corporate customer: a Central Bank enforcement action against a bank for inadequate UBO verification of a client will typically trigger a parallel MoE review of the client entity's own BO register. Financial institutions should therefore treat their CD 109 compliance as pre-emptively protective against becoming the subject of a CBUAE enforcement action arising from a client's opacity.
The UAE's removal from the FATF grey list in February 2024 and the EU's removal of the UAE from its high-risk third-country list in 2025 have not reduced enforcement intensity—if anything, they have increased it, because the UAE's international commitments now require demonstrated sustained compliance rather than emergency remediation. With a mutual evaluation scheduled for 2026, the MoE, CBUAE, and free-zone authorities are conducting thematic reviews of BO register quality across sectors. Entities that were audited and found compliant in 2022 or 2023 should not assume that their position is secure without a current review against the CD 109 framework.
Nominee Arrangements, Trusts, and the Sanctions Overlay
Nominee shareholder and director arrangements are a discrete area of heightened regulatory focus. CD 109 does not prohibit nominees, but it mandates full transparency: the nominee must be recorded as the registered holder in the Partners/Shareholders Register, and the principal (the person on whose behalf the nominee acts) must be recorded as the UBO in the Real Beneficiaries Register. The nominee agreement itself must be disclosed to the licensing authority on request. Any structure in which the nominee relationship is concealed—either by treating the nominee as the UBO or by maintaining no register at all—is treated as a deliberate concealment offence, not merely an administrative oversight, under both CD 109 and FDL 10/2025.
The sanctions overlay adds a further dimension. Where a recorded or concealed UBO is subject to UAE domestic sanctions (administered by the Executive Office for Control and Non-Proliferation, EOCN) or international sanctions implemented in the UAE, the entity's BO failure is simultaneously an AML/CFT offence and a sanctions violation. FDL 10/2025 includes proliferation financing as a predicate offence, meaning that a structure that channels funds to a sanctioned person—even indirectly through a multi-tier holding chain—can give rise to money laundering liability for the UAE entity and its directors. Cabinet Resolution 134/2025 requires financial institutions to screen UBO data against sanctions lists at onboarding and on an ongoing basis; a change in UBO that goes unreported under CD 109 may therefore also prevent a financial institution from fulfilling its screening obligations, compounding both the client's and the institution's exposure.
Trust structures involving UAE situs assets require particular care under the interaction of CD 109 and the UAE trust law framework. Where a UAE foundation (governed by Cabinet Decision 122/2020 or a free-zone foundation framework) holds shares in a UAE operating entity, the foundation's founder, supervisory board members, and beneficiaries with a vested interest of 25% or more in the foundation's assets must be recorded as UBOs of the operating entity. If the foundation's articles vest control in an independent supervisory board with no meaningful input from the founder, and no beneficiary has a vested interest, the foundation's supervisory board members are recorded as UBOs. However, regulators have become adept at identifying foundations whose independence is nominal—where the founder dictates decisions through informal mechanisms—and treating the founder as the UBO through the 'effective control' limb of CD 109.
Building a Defensible Compliance Programme: Practical Steps for Groups and GCs
A defensible CD 109 compliance programme for a multi-entity UAE group begins with a full legal entity inventory: every entity incorporated or licensed in the UAE (mainland or free zone), every branch of a foreign company, and every UAE-situs foundation or trust arrangement. Each entity must be assessed individually because the BO analysis may differ across entities in the same group—a structure in which entity A is 100% owned by entity B (itself 60% owned by a single individual) has a straightforward UBO at entity A level, whereas entity B may have a more complex BO picture if the remaining 40% is dispersed across a family trust with multiple potential UBOs.
The governance mechanics of the programme should include: (i) a designated BO Compliance Officer at group and subsidiary level with a clear mandate and board-level accountability; (ii) a standardised UBO data collection template covering all CD 109-required data fields; (iii) a trigger-event notification protocol that routes all upstream ownership changes (including in offshore holdcos) to UAE subsidiary compliance teams within 5 business days of occurrence, allowing the 15-day update deadline to be met; (iv) an annual self-certification process in which each UBO confirms the accuracy of their recorded information; and (v) a document retention policy preserving all supporting documentation (passports, corporate charts, trust deeds, nominee agreements) for a minimum of 5 years, consistent with FDL 10/2025's record-keeping requirements.
For financial institutions, the programme must also address the institution's own obligations as a customer-facing entity performing UBO verification on its clients. Cabinet Resolution 134/2025 requires enhanced due diligence where a customer's UBO is located in a higher-risk jurisdiction, where the ownership structure is complex or opaque, or where there is a mismatch between the MoE register data and the information provided directly by the customer. The institution must document its analysis and retain records of its UBO verification process. Where discrepancies are identified, the institution's AML compliance framework under Cabinet Resolution 134/2025 requires escalation and, where the discrepancy cannot be resolved, filing of a suspicious transaction report with the UAE Financial Intelligence Unit.
Legal professional privilege does not shield BO register documentation from compelled production in a criminal investigation. Under the Criminal Procedure Law (Federal Decree-Law 38/2022), a public prosecutor may issue a search and seizure order targeting corporate records, including BO registers, without prior judicial authorisation in urgent cases. Directors and senior officers who are asked by a public prosecutor to produce BO records should seek legal advice immediately—refusal to produce records when lawfully compelled is itself an offence under FDL 31/2021—but production should be coordinated to ensure privilege over genuinely privileged communications (legal advice memoranda, for example) is asserted correctly at the point of production rather than waived by blanket disclosure.
Practical checklist
- Map every UAE entity and branch; confirm each is registered in the MoE BO portal under CD 109.
- Apply the look-through analysis to identify all natural persons meeting the 25% shareholding or control threshold.
- Record nominees separately from UBOs in both internal registers; obtain and retain nominee agreements.
- Implement a 15-day trigger-event notification protocol for upstream ownership changes in offshore holdcos.
- Verify that trust deeds and foundation charters have been analysed under CD 109's effective-control limb.
- Screen all recorded UBOs against UAE EOCN and international sanctions lists at registration and on change.
- Conduct an annual accuracy review of all BO register entries and obtain written confirmation from each UBO.
- Ensure DIFC or ADGM incorporated non-regulated entities have filed CD 109 data via the MoE portal, not merely with the centre registrar.
What we'd typically advise
In our experience, the most significant CD 109 exposure arises not from deliberate concealment but from governance gaps in complex holding chains—specifically, the failure to route upstream ownership changes to UAE subsidiary compliance teams before the 15-day update deadline expires. We would typically advise groups to treat the BO compliance programme as a standing infrastructure item rather than a one-time registration exercise, with board-level accountability and a designated officer empowered to compel information from group entities in any jurisdiction.
Where a structure involves nominees, trusts, or foundations, we advise commissioning a written legal analysis—updated whenever the relevant instruments are amended—that maps each arrangement to the three CD 109 control limbs and documents the conclusion. That analysis, retained on file, is the most effective defence against an assertion by a regulator that a failure to disclose a UBO was wilful rather than inadvertent. The distinction matters: under FDL 10/2025, wilful concealment carries personal criminal liability for directors at a level that administrative remediation cannot cure after the fact.
Frequently asked questions
Our group's UAE entity is 100% owned by a BVI holdco. Do we need to look through the BVI layer to disclose the BVI's shareholders as UBOs?
Yes. Cabinet Decision 109/2023 requires a look-through analysis regardless of the intermediate entity's jurisdiction. If any natural person owns or controls 25% or more of the BVI entity—directly or through further intermediate layers—they must be recorded as a UBO of the UAE entity. The BVI incorporation does not create an exemption; it creates an additional documentation burden because you must obtain and retain evidence of the BVI's ownership structure to substantiate your disclosure.
We have a discretionary trust above our UAE operating company. No beneficiary has a fixed entitlement. Does anyone need to be recorded as UBO?
Yes. Under CD 109's 'effective control' limb, the settlor must be assessed: if the settlor retains a power of revocation, replacement of trustee, or a letter of wishes that effectively directs trustee decisions, the settlor is the UBO. If the settlor has genuinely divested all control, the trustee is the UBO. The class of discretionary beneficiaries need not be individually recorded unless a specific beneficiary receives a distribution representing 25% or more of the trust's assets—at which point that beneficiary's entitlement becomes a control right. This analysis must be documented and updated whenever the trust deed or trustee changes.
Our entity is incorporated in ADGM but is not regulated by the FSRA. Are we within the CD 109 regime or the ADGM BO Regulations?
Both. ADGM entities registered under the ADGM Companies Regulations 2020 maintain a BO register with the ADGM Registrar of Companies. However, the data-sharing arrangement between ADGM and the MoE does not exempt your entity from the substantive CD 109 obligation. Non-regulated ADGM entities must ensure their BO data submitted to ADGM is current and accurate; the MoE will access that data through the data-sharing channel. A deficiency in the ADGM register is a CD 109 deficiency.
What is the penalty for failing to update the BO register within 15 days of a shareholding change?
Administrative fines under Cabinet Decision 109/2023 for failure to maintain accurate and current registers can reach AED 1,000,000 per violation for wilful concealment, with lower bands for administrative failures. Where the BO failure is connected to a money laundering offence, Federal Decree-Law 10/2025 imposes criminal fines of up to AED 100 million on the legal person, with no statute of limitations. Directors personally may face criminal liability under FDL 10/2025 where they knew of the failure or failed to take reasonable steps to prevent it. Licence suspension is an additional sanction available to the licensing authority.
We use a UAE national as a nominee shareholder. Does the nominee need to be disclosed?
Yes. Under CD 109, both the nominee and the underlying principal must be recorded: the nominee in the Partners/Shareholders Register as the registered holder, and the principal in the Real Beneficiaries Register as the UBO. The nominee agreement must be produced to the licensing authority on request. Any arrangement that records only the nominee and conceals the principal is treated as wilful misrepresentation and may give rise to criminal liability under Federal Decree-Law 31/2021 (forgery or fraud provisions) in addition to CD 109 administrative sanctions.
Our entity has 10 shareholders, none of whom individually holds 25% or more. Do we still need a BO register?
Yes, but the analysis must address the control limbs as well as the shareholding limb. If no natural person holds or controls 25% or more through any of CD 109's three limbs, you must record the senior managing official (typically the CEO or Managing Director) as the default registrant. However, this default is only applicable where control is genuinely dispersed—regulators scrutinise widely dispersed structures carefully to ensure that concert-party arrangements or contractual control rights do not bring a specific natural person within scope. Document your analysis and retain evidence of the shareholder breakdown.
We are a UAE-licensed bank. What are our obligations when a corporate customer refuses to provide UBO information?
Under Cabinet Resolution 134/2025 (the executive regulations to Federal Decree-Law 10/2025), a financial institution that cannot complete UBO verification must not onboard the customer or, in relation to an existing customer, must consider filing a suspicious transaction report with the UAE Financial Intelligence Unit and terminating the relationship. Proceeding without adequate UBO verification—even where the customer refuses rather than the bank failing to ask—exposes the institution to CBUAE administrative sanctions under Law No. 6/2025, where fines reach AED 1 billion. The bank's AML compliance officer should document the refusal and the steps taken in the customer file.
The UAE was removed from the FATF grey list in February 2024. Does that reduce our compliance obligations?
No. Grey-list removal reflects the UAE's implementation of systemic remediation measures; it does not reduce the substantive obligations on individual entities. The MoE and free-zone authorities have maintained and, in some sectors, intensified thematic enforcement reviews. With a FATF mutual evaluation scheduled for 2026, supervisory scrutiny of BO register quality is expected to increase rather than diminish. Entities that assumed grey-list removal signalled a relaxation of enforcement posture have in practice faced unannounced audits and administrative penalty assessments in 2024 and 2025.
Related guides
Published 15 July 2026. General information only — not legal advice. Contact us for matter-specific advice.