What this guide covers
- The Current Legal Framework: What Has Changed and Why It Matters
- Recognising the Trigger: How CBUAE Investigations Begin
- The First 72 Hours: A Step-by-Step Response Protocol
- Asset Freezes, Account Restrictions and Interim Measures
- Personal Liability for Senior Managers: The Sharpened Edge of FDL 10/2025
- Navigating CBUAE Enforcement: Cooperation, Remediation and Penalty Mitigation
- When the Matter Goes Criminal: Managing the Parallel Track
- Practical checklist
- What we'd typically advise
- Frequently asked questions
A CBUAE supervisory action or AML investigation can move from initial notice to asset freeze and criminal referral within days. Banks, PSPs and their senior managers need a precise, legally grounded response plan from the moment contact is made.
The Current Legal Framework: What Has Changed and Why It Matters
The UAE's AML/CFT/CPF regime underwent a fundamental overhaul when Federal Decree-Law 10/2025 came into force on 14 October 2025, simultaneously repealing Federal Decree-Law 20/2018. Cabinet Resolution 134/2025, effective 14 December 2025, sets out the executive regulations. Any institution or adviser still referencing the 2018 law is operating on repealed authority. The practical consequences of that error in a live investigation are severe: misidentifying the applicable predicate offences, misstating the limitation period, or misquoting the penalty range to a regulator or court will destroy credibility at exactly the moment it matters most.
Under FDL 10/2025, three changes are structurally significant for financial institutions. First, proliferation financing and tax evasion are now explicitly enumerated predicate offences. Second, personal criminal liability for senior managers is codified: a compliance officer, CEO or board member who knew or ought to have known of AML failures and failed to act faces individual prosecution independent of any action against the institution. Third, there is no statute of limitations for money laundering offences under FDL 10/2025 — a provision with immediate relevance for historic transaction reviews that regulators may now reopen without time restriction.
Sitting above the AML law, the Central Bank of the UAE operates under CBUAE Law No. 6/2025, which raised the ceiling for a single administrative fine to AED 1 billion. That figure is not a theoretical maximum reserved for systemic failures: CBUAE's enforcement division has signalled that penalty calibration will reflect the size of the institution, duration of non-compliance, and whether cooperation was genuine. For a mid-sized licensed bank or payment service provider, a fine in the AED 50–200 million range is now a realistic planning scenario for serious compliance failures, not an outlier. Cabinet Resolution 134/2025 specifies the aggravating and mitigating factors that CBUAE must consider, making early legal analysis of those factors a first-day priority.
The Criminal Procedure Law, Federal Decree-Law 38/2022 (in force 1 March 2023, as amended by FDL 45/2023), governs search and seizure, witness examination and asset restraint in the parallel criminal track. Where CBUAE refers a matter to the Public Prosecution — which it is empowered to do and increasingly does — the procedural rights of both the institution and its individuals shift significantly. Understanding which track is active, and whether both are running simultaneously, is the first analytical task for external counsel engaged in hour one.
Recognising the Trigger: How CBUAE Investigations Begin
CBUAE supervisory actions against banks and PSPs do not always arrive as formal notices. The investigation may already be weeks or months old before the institution receives any direct communication. Common trigger events include: a flagged suspicious transaction report (STR) that generates a feedback loop back to the filing institution; a targeted examination scheduled as part of CBUAE's annual supervisory cycle that uncovers deficiencies; a cross-border mutual legal assistance request under Federal Law 39/2006 (as amended by FDL 38/2023) that identifies the UAE institution as a correspondent or beneficiary bank; or intelligence shared through CBUAE's Financial Intelligence Unit (FIU) from a foreign counterpart, particularly post-FATF re-engagement following the UAE's removal from the grey list in February 2024 and from the EU high-risk list in 2025.
The formal trigger documents to recognise immediately are: a CBUAE examination letter or on-site inspection notice; a request for information (RFI) under CBUAE Law No. 6/2025; a provisional administrative decision; or — in the most serious cases — a concurrent notice from the Public Prosecution accompanied by a judicial order under FDL 38/2022. Each document type carries different response deadlines, different privilege implications, and different consequences for non-compliance. Treating a CBUAE RFI as a routine correspondence matter, rather than as the opening move of a formal investigation, is the single most damaging error institutions make in the first 24 hours.
PSPs — particularly those operating in the digital payments and crypto-adjacent space — face an additional layer of complexity. Cabinet Resolution 134/2025 introduced a Travel Rule threshold of AED 3,500 for virtual asset transfers, aligning with FATF Recommendation 16. A PSP that has not implemented compliant Travel Rule procedures faces compounded exposure: the underlying AML failure plus a discrete regulatory breach of the executive regulations. VARA Rulebooks 2.0 (May 2025) impose parallel obligations on licensed virtual asset service providers, meaning a crypto-enabled PSP may simultaneously face CBUAE action and a VARA regulatory inquiry — two separate proceedings requiring coordinated but distinct legal responses.
The First 72 Hours: A Step-by-Step Response Protocol
Hour 0–4: Immediate legal privilege protection. The first action is to engage external AML counsel so that all subsequent communications, internal reviews and document collections are conducted under legal professional privilege to the maximum extent UAE law permits. Under FDL 38/2022, the Public Prosecution has broad powers to compel document production, but communications between a licensed lawyer and client for the purpose of providing legal advice retain protection. Internal emails drafted without counsel — particularly those containing candid assessments of compliance failures — are compellable. Establish a war-room protocol: all written analysis goes through or at the direction of external counsel from this point forward.
Hour 4–12: Verify the document, identify the track, assess personal exposure. Authenticate and date-stamp the trigger document. Identify precisely which CBUAE power has been invoked under Law No. 6/2025 and whether a parallel criminal referral has been made or is anticipated. Immediately assess whether any named or identifiable senior individuals — MLRO, CEO, CFO, Head of Compliance — are potentially exposed to personal liability under FDL 10/2025's manager liability provisions. If personal exposure exists, those individuals require separate independent legal representation; a conflict of interest between the institution and its senior officers will crystallise rapidly if a criminal referral is made. Do not allow the institution's general counsel or a single external firm to represent both the institution and individual officers without a formal conflicts analysis.
Hour 12–48: Evidence preservation and internal investigation scoping. Issue a litigation hold covering all relevant electronic and physical records. Under FDL 38/2022, destruction or alteration of evidence after a formal proceeding has commenced — or where such a proceeding is reasonably foreseeable — constitutes a separate criminal offence. The hold should cover transaction records, STR files, correspondent banking communications, KYC/CDD documentation, board and compliance committee minutes, and all internal audit reports touching the relevant period. Scope the internal investigation carefully: an overly broad investigation may surface issues beyond the regulator's current focus, while an insufficiently broad one may be seen as obstructive if gaps emerge later.
Hour 48–72: Regulator engagement strategy. Before any substantive response is sent to CBUAE or any meeting takes place, agree a communication strategy with external counsel. Cabinet Resolution 134/2025 treats genuine, proactive cooperation as a mitigating factor in penalty calibration. However, cooperation must be carefully managed: voluntary disclosure of issues beyond the scope of the current inquiry is a strategic decision, not a default obligation, and premature admissions in written correspondence can be used against the institution in subsequent proceedings. Prepare a holding response that acknowledges receipt, confirms engagement of counsel, and requests confirmation of the applicable response deadline — without making any substantive concession.
Asset Freezes, Account Restrictions and Interim Measures
CBUAE Law No. 6/2025 empowers the regulator to impose interim restrictions on an institution's operations — including directing suspension of specific payment flows or restricting account activity — without prior notice in urgent cases. These administrative measures are distinct from, but can run parallel to, judicial asset-freezing orders sought by the Public Prosecution under FDL 38/2022. An institution that discovers its correspondent accounts have been restricted should treat this as a tier-one crisis: the operational impact on liquidity and customer relationships can escalate within hours, and the reputational damage from market rumour of a CBUAE restriction is often as damaging as the restriction itself.
Where the matter has a cross-border dimension — for example, a foreign bank has obtained a freezing order in its home jurisdiction and is seeking enforcement in the UAE — the landscape has been clarified by recent developments in both the DIFC and ADGM. The DIFC Court Law 2/2025 and the ADGM decision in A17 v B17 [2025] confirmed that worldwide freezing orders in support of foreign proceedings are available without any requirement for a local-asset nexus. This is strategically important for UAE-licensed institutions with overseas operations: assets located internationally can be frozen through UAE financial centre courts acting in support of foreign criminal or civil proceedings, even where the UAE institution itself is not the primary subject of those proceedings.
For PSPs and crypto-adjacent institutions, the Travel Rule provisions under Cabinet Resolution 134/2025 create a specific freeze risk. Where a PSP has processed virtual asset transfers above AED 3,500 without compliant originator/beneficiary information, CBUAE may treat each non-compliant transaction as a discrete AML breach, potentially multiplying the aggregate penalty exposure substantially. Beneficial ownership failures — assessed under Cabinet Decision 109/2023's 25% threshold test — can compound this exposure if the institution cannot demonstrate that it verified the ultimate beneficial owners of counterparty entities through which suspicious flows moved.
Personal Liability for Senior Managers: The Sharpened Edge of FDL 10/2025
The codification of personal manager liability in FDL 10/2025 represents the most operationally significant change for bank executives and PSP leadership teams. Unlike the position under the repealed FDL 20/2018, where individual prosecution of officers required proof of direct personal involvement in the underlying offence, FDL 10/2025 imposes liability on senior managers who knew or ought to have known of AML/CFT failures and failed to take adequate corrective action. This objective-knowledge standard means that a compliance officer who received internal audit reports flagging deficiencies, a CEO who approved a business line expansion without adequate AML controls, or a board member who signed off on a compliance budget that systematically underresourced the AML function, may all face personal criminal exposure.
The Federal Penal Code, Federal Decree-Law 31/2021 (in force 2 January 2022, as amended by FDL 36/2022), governs the general criminal law principles applicable to corporate officers. Sentences for money laundering under FDL 10/2025 can include imprisonment and personal fines up to AED 100 million. A convicted individual is also typically subject to a prohibition on holding financial sector positions. The reputational and professional consequences of a personal conviction are therefore irreversible in a way that institutional fines are not. This asymmetry should shape the institution's approach to personnel decisions during the investigation: suspending or terminating individuals in ways that could be construed as scapegoating, or that compromise the individual's ability to take independent legal advice, creates both ethical and legal problems.
MLROs occupy a particularly sensitive position. Under FDL 10/2025 and CBUAE's licensing requirements, the MLRO bears primary responsibility for the STR filing programme and the AML framework. If the investigation reveals that STRs were not filed when they should have been — or were filed late — the MLRO's personal conduct will be scrutinised as a priority. MLROs should immediately secure independent legal advice on their own position and should not assume that institutional indemnities will cover criminal proceedings. Employment contracts and D&O insurance policies should be reviewed within the first 48 hours to understand the scope and limits of available coverage.
Navigating CBUAE Enforcement: Cooperation, Remediation and Penalty Mitigation
Cabinet Resolution 134/2025 provides the most detailed articulation to date of the factors CBUAE will weigh in calibrating administrative penalties under Law No. 6/2025. Mitigating factors include: the speed and completeness of cooperation with the examination; whether the institution self-reported the deficiency before CBUAE identified it; the quality and credibility of the remediation plan; whether there was genuine board-level accountability demonstrated through documented governance responses; and the absence of prior regulatory sanctions. Aggravating factors include: deliberate concealment, repeat violations, systemic rather than isolated failures, and harm caused to third parties. Understanding this matrix allows counsel to structure the institution's response to maximise mitigation credit — but this requires early, strategic decisions, not reactive compliance.
A remediation plan submitted to CBUAE should be drafted as a legally defensible document, not a management consulting deliverable. It should identify root causes with precision, set measurable milestones with accountable owners, and include independent assurance mechanisms. CBUAE has increasingly required institutions to appoint an independent compliance monitor — a firm or individual approved by the regulator — to oversee remediation. If a monitor appointment is likely, counsel should be involved in negotiating the monitor's mandate and information-sharing protocols before any agreement is signed, since the monitor's reports may be shared with the Public Prosecution in a parallel criminal track.
Where the institution has corporate tax exposure connected to the underlying transactions — for example, where the AML investigation reveals undisclosed revenues — the interaction with Federal Decree-Law 47/2022 and Cabinet Decision 129/2025 penalty provisions becomes relevant. Voluntary disclosure to the Federal Tax Authority attracts a penalty of 1–4% of the tax shortfall; assessment on audit attracts 15%. This differential creates a time-sensitive decision point: if the AML investigation will inevitably surface the tax issue, a contemporaneous voluntary tax disclosure may limit that exposure. The decision requires coordinated advice across AML and tax counsel.
When the Matter Goes Criminal: Managing the Parallel Track
CBUAE has both the power and the institutional incentive to refer serious AML failures to the Public Prosecution. Post-FATF mutual evaluation reporting in 2026 will scrutinise the UAE's enforcement record, creating regulatory pressure to demonstrate that financial crime is prosecuted robustly and not merely fined administratively. Institutions should assume that any matter involving deliberate concealment, large-volume suspicious flows, or personal enrichment by insiders will generate a criminal referral, and should prepare accordingly from the outset even if the formal action appears administrative.
Once a criminal investigation is opened by the Public Prosecution under FDL 38/2022, the procedural landscape changes materially. The prosecution has powers to: summon witnesses for examination; issue search warrants for premises and electronic systems; freeze assets by judicial order without prior notice; and request mutual legal assistance from foreign jurisdictions under Federal Law 39/2006 (as amended by FDL 38/2023). An institution that has been cooperating with a CBUAE administrative process must immediately reassess its disclosure posture when a criminal referral is made: documents voluntarily provided in the administrative track may be available to the prosecution, and witness statements given to CBUAE examiners may be referred to in criminal proceedings.
The cross-border dimension adds further complexity. Where foreign regulators or law enforcement — the US DOJ, UK FCA, or FATF member-state counterparts — are involved, the UAE Public Prosecution may receive MLA requests seeking bank records, transaction histories, and testimony. Federal Law 39/2006 as amended governs the UAE's MLA obligations. Institutions should map their data-sharing obligations under the applicable MLA treaties and UAE domestic law against their own confidentiality and data protection obligations before responding to any production request, whether direct or through the Public Prosecution. A misstep in either direction — refusing a lawful production request or producing protected material without proper authorisation — carries independent liability.
Practical checklist
- Engage specialist external AML counsel within the first four hours of receiving any CBUAE notice
- Authenticate, date-stamp and preserve every trigger document without alteration
- Issue a firm-wide litigation hold covering transactions, KYC files, STR records and board minutes
- Identify all individuals with potential personal liability under FDL 10/2025 and ensure separate representation
- Assess whether a parallel criminal referral has been made or is reasonably foreseeable before any substantive response
- Review D&O insurance policies and employment indemnities for scope and criminal-proceedings exclusions within 48 hours
- Do not make voluntary disclosures beyond the regulator's stated scope without senior counsel sign-off
- Prepare a legally defensible holding response acknowledging receipt and confirming counsel engagement before any substantive reply
What we'd typically advise
In our experience of CBUAE enforcement matters, the institutions that achieve the best outcomes — reduced penalties, contained personal exposure, preserved operating licences — are those that treat the first 72 hours as a strategic legal exercise, not a compliance housekeeping task. Under Law No. 6/2025 and FDL 10/2025, the mitigating factors are real and calibrated, but they require deliberate action to activate: a credible cooperation posture, a defensible remediation plan, and clearly separated legal representation for the institution and its senior individuals.
We would typically advise convening a board-level crisis committee with legal counsel present from day one, suspending all non-privileged internal written analysis of the facts, and engaging proactively with CBUAE's examination team in a structured, counsel-supervised format. The worst outcomes we have seen invariably involve institutions that delayed legal engagement or assumed the matter would resolve through normal supervisory channels.
Frequently asked questions
Can CBUAE actually impose a fine of AED 1 billion on a single institution?
Yes. CBUAE Law No. 6/2025 sets AED 1 billion as the ceiling for a single administrative fine against a licensed institution. Cabinet Resolution 134/2025 sets out the calibration factors. For large licensed banks with systemic compliance failures, sustained non-compliance, and evidence of concealment, a penalty in the hundreds of millions of dirhams is now within the realistic enforcement range, not a theoretical maximum.
Does the MLRO face personal criminal liability even if the institution itself is not prosecuted?
Yes. FDL 10/2025 codifies personal manager liability on a knew-or-ought-to-have-known standard. An MLRO who failed to file STRs, inadequately resourced the AML programme, or did not escalate identified risks to the board can be prosecuted individually, independent of any action against the institution. The MLRO should obtain independent legal advice as a priority; the institution's lawyers cannot represent both the institution and individual officers without a conflicts analysis.
Is there a time limit for CBUAE or the prosecution to bring AML charges for historic transactions?
No. FDL 10/2025 explicitly removes the statute of limitations for money laundering offences. This means CBUAE and the Public Prosecution can investigate and prosecute conduct going back indefinitely. Institutions undergoing historical transaction reviews — for example, as part of a CBUAE thematic examination or a new ownership due diligence process — should seek legal advice on exposure before voluntarily producing historical records.
If we self-report an AML deficiency to CBUAE, will it be used against us in a criminal proceeding?
Potentially yes. Material voluntarily provided in the administrative track can be accessed by the Public Prosecution in a parallel criminal investigation. Self-reporting is a recognised mitigating factor under Cabinet Resolution 134/2025, but the decision to self-report — and the scope of what is disclosed — must be made with criminal-track implications in mind. Do not self-report without senior external AML counsel involvement.
Our PSP processes crypto payments. Does a CBUAE AML investigation also trigger VARA scrutiny?
It may. VARA Rulebooks 2.0 (May 2025) impose independent AML/CFT obligations on licensed virtual asset service providers. If your PSP holds or requires a VARA licence and is also regulated by CBUAE, both regulators may have concurrent jurisdiction over the same conduct. Cabinet Resolution 134/2025 also introduces the Travel Rule at AED 3,500 for virtual asset transfers. Coordinate responses to both regulators through a single legal strategy to avoid inconsistent positions.
A foreign court has frozen our overseas accounts in connection with this matter. Can that order be enforced in the UAE?
Yes, and through both financial centre courts. DIFC Court Law 2/2025 and the ADGM decision in A17 v B17 [2025] confirmed that worldwide freezing orders in support of foreign proceedings are available without a local-asset nexus. A foreign authority can also pursue mutual legal assistance under Federal Law 39/2006 as amended by FDL 38/2023, which obliges the UAE Public Prosecution to execute qualifying requests. Legal advice on both tracks should be sought urgently.
What is the difference between an administrative CBUAE fine and a criminal conviction, and can we face both?
Yes, both can run simultaneously. An administrative fine under CBUAE Law No. 6/2025 is a regulatory penalty imposed by the Central Bank without requiring proof beyond reasonable doubt. A criminal conviction under FDL 10/2025, prosecuted by the Public Prosecution before a criminal court under FDL 38/2022, requires that higher standard but carries imprisonment, personal fines up to AED 100 million, and a bar on holding financial sector positions. The two tracks are procedurally independent, and a CBUAE fine does not preclude or reduce criminal liability.
How quickly do we need to respond to a CBUAE request for information, and what happens if we miss the deadline?
CBUAE Law No. 6/2025 does not prescribe a universal RFI deadline — the timeframe is typically stated in the notice itself and can range from 5 to 20 business days depending on urgency. Failure to respond within the stated period is itself a regulatory breach that can be treated as an aggravating factor under Cabinet Resolution 134/2025, increasing the penalty range. If the deadline cannot be met because of the volume of material required, an extension request — submitted by counsel, with reasons — should be made before the deadline expires.
Related guides
Published 15 July 2026. General information only — not legal advice. Contact us for matter-specific advice.