AML & Financial Crime

Sanctions Screening and the UAE Local Terrorist List (EOCN Obligations)

AML & Financial Crime

What this guide covers

  1. The Legal Framework: EOCN, FDL 10/2025 and Cabinet Resolution 134/2025
  2. Who Must Screen: Regulated Entities and DNFBPs Under FDL 10/2025
  3. The 24-Hour Freeze Obligation: Mechanics and Scope
  4. CNMR and PNMR: Mandatory Reporting to the FIU
  5. Building a Compliant EOCN Screening Programme: July 2025 Guidance Standards
  6. Penalties, Personal Liability, and Enforcement Exposure
  7. Strategic Considerations: Cross-Border Complexity, Unfreezing, and De-listing
  8. Practical checklist
  9. What we'd typically advise
  10. Frequently asked questions

UAE-regulated entities face strict obligations to screen against the EOCN local terrorist and proliferation financing lists, freeze matching assets within 24 hours, and report to the Financial Intelligence Unit — with personal criminal liability for officers who fail to act.

The Executive Office for Control and Non-Proliferation (EOCN) administers the UAE's domestic designation regime, maintaining two lists that sit at the heart of the country's counter-terrorism and non-proliferation architecture: the Local Terrorist List (LTL) and the Countering Financing of Proliferation (CFP) list. These are distinct from United Nations Security Council consolidated lists (which UAE entities must also screen against under separate treaty obligations) and from the OFAC SDN or EU Consolidated List. The critical regulatory point — frequently misunderstood by compliance teams — is that EOCN list obligations are governed by domestic UAE law and operate independently of any international framework. Matching a name on the EOCN LTL triggers mandatory action even where the individual or entity does not appear on any UN or Western sanctions list.

The primary legislative instruments as at July 2025 are Federal Decree-Law 10/2025 on Anti-Money Laundering, Combating the Financing of Terrorism and Financing of Illegal Organisations (in force 14 October 2025, hereafter FDL 10/2025), which repealed and replaced FDL 20/2018 in its entirety, and its executive regulations in Cabinet Resolution 134/2025 (in force 14 December 2025). FDL 10/2025 significantly expanded the predicate offence list to include proliferation financing and tax evasion, introduced personal criminal liability for senior managers, raised administrative fines to AED 100 million, and removed the statute of limitations for money laundering — changes with direct implications for how screening failures are prosecuted. The criminal provisions for terrorist financing sit alongside these in Federal Decree-Law 31/2021 (the Penal Code), as amended by FDL 36/2022, which establishes the substantive offences of financing terrorism and financing illegal organisations.

Cabinet Resolution 134/2025 Chapter VII sets out in granular detail the obligations that apply when a regulated entity's screening produces a positive match against the EOCN lists. It expressly incorporates the EOCN's published guidance — including the July 2025 Guidance on Targeted Financial Sanctions Compliance — as a binding compliance standard. Regulated entities are required to maintain written screening policies, documented screening logs, and records of every match and the action taken, for a minimum of five years. The 2025 rewrite removed certain transitional carve-outs that had existed under the 2018 regime, meaning that DNFBPs (including lawyers, accountants, real estate brokers and company service providers) are now subject to the same screening architecture as financial institutions, with equivalent penalties for breach.

UAE-regulated entities operating within the DIFC and ADGM are subject to both the federal framework described above and their respective financial centre regulators' rules (DFSA AML Module and FSRA AML Rules respectively). Both financial centre regulators have issued updated guidance aligned with FDL 10/2025 and Cabinet Resolution 134/2025. There is no exemption for DIFC or ADGM entities from the EOCN screening obligation; the federal designated lists are incorporated directly into financial centre AML frameworks by reference.

Who Must Screen: Regulated Entities and DNFBPs Under FDL 10/2025

Article 2 of FDL 10/2025 defines the scope of 'Designated Non-Financial Businesses and Professions' (DNFBPs) with greater precision than its predecessor. The category now expressly captures: lawyers and law firms when engaging in the specified activities (real estate transactions, management of client funds, company formation and management, and trust or fiduciary work); notaries; auditors and accountants; real estate agents and brokers; dealers in precious metals and stones; and corporate service providers. The 'specified activities' test for legal professionals is critical — a law firm is not obligated to screen a client who retains it purely for litigation advice, but the same firm is fully obligated the moment it handles a property transfer or holds client money in a designated account. This distinction is frequently overlooked in practice.

Financial institutions subject to CBUAE supervision — licensed banks, exchange houses, finance companies, insurance undertakings and payment service providers — have faced EOCN screening obligations since the 2018 law, but the 2025 reforms tightened the standard in two important ways. First, the definition of 'customer' for screening purposes now explicitly includes the beneficial owner (defined under Cabinet Decision 109/2023 as any natural person holding or controlling directly or indirectly more than 25% of shares or voting rights, or otherwise exercising control). Second, screening must extend to counterparties in transactions above prescribed thresholds, not merely to the account-holding customer. Cabinet Resolution 134/2025 Article 39 specifies that correspondent banking relationships require screening of the respondent institution itself against both EOCN lists and UN lists at onboarding and upon any material change in the relationship.

Virtual asset service providers (VASPs) licensed under VARA Rulebooks 2.0 (May 2025) are subject to screening requirements aligned with the federal framework. The Travel Rule threshold under Cabinet Resolution 134/2025 is set at AED 3,500 per transaction, requiring originator and beneficiary information to be transmitted and screened. A VASP that processes a transfer to a wallet controlled by an EOCN-designated party without detecting the match — because its screening tool did not cover the EOCN list — faces enforcement action under both VARA's supervisory powers and FDL 10/2025. VARA's May 2025 Rulebooks expressly incorporate EOCN list screening as a mandatory element of AML programme requirements for all licensed entities.

The 24-Hour Freeze Obligation: Mechanics and Scope

The most operationally consequential obligation in the EOCN framework is the duty to freeze assets without delay upon identifying a match. FDL 10/2025 Article 17 establishes the freeze obligation in mandatory terms: a regulated entity that identifies a customer, beneficial owner, or transaction counterparty who matches a name on the EOCN LTL or CFP list must immediately freeze all funds and economic resources held for or on behalf of that party. Cabinet Resolution 134/2025 Article 42(1) operationalises 'immediately' as meaning within 24 hours of the match being identified or reasonably identifiable, creating a hard deadline that cannot be extended by internal escalation processes or senior management approval chains. The 24-hour clock runs from the point the front-line system or analyst identifies the potential match, not from the point of formal confirmation.

The scope of the freeze is comprehensive. It extends to all funds, financial assets, economic resources, and income derived from those resources, regardless of where they are held within the institution. For a bank, this means accounts, safe deposit box contents, pending payments (including outgoing SWIFT instructions already queued but not yet released), term deposits, securities portfolios, and any other asset over which the institution has control or custody. Partial freezes — for example, blocking only the account directly associated with the flagged name while leaving a related trading account unfrozen — do not satisfy Article 17. Cabinet Resolution 134/2025 Article 42(2) further requires that the entity cease all ongoing transactions, refuse to process new instructions from the designated party, and place a hold on any pending transfers that have not yet achieved finality. A transfer that has achieved irrevocable settlement finality before the freeze is imposed is not subject to reversal, but the institution must attempt to recover the funds through the Financial Intelligence Unit (FIU) where possible.

A critical nuance — addressed in the July 2025 EOCN Guidance — is the treatment of 'listed persons who are also counterparties in legitimate, pre-existing commercial arrangements'. The guidance confirms that the freeze obligation applies to economic resources broadly, which means an entity cannot continue to perform under a contract that would provide economic benefit to a listed party (for example, continuing to pay rent to a landlord subsequently designated on the LTL). The regulated entity must notify the FIU and await direction before making any payment. Humanitarian exemptions to the freeze do exist under Cabinet Resolution 134/2025 Article 44 — covering basic living expenses for designated natural persons and their dependants — but these require prior FIU authorisation and are narrow in scope.

Operationally, the 24-hour deadline creates acute pressure on compliance and IT infrastructure. Institutions that rely on batch overnight screening runs rather than real-time or near-real-time screening against the EOCN lists are structurally non-compliant: a transaction executed in the morning may only surface in the overnight batch, meaning the 24-hour window has partially elapsed before the compliance team is even aware of the match. The CBUAE's enforcement actions in 2023 and 2024 — before FDL 10/2025 came into force — consistently cited delayed detection as an aggravating factor in penalty calculations. The July 2025 EOCN Guidance expressly recommends continuous (real-time) API-based screening for high-volume institutions, and near-real-time screening with a maximum four-hour lag for lower-volume entities, as the practical standard that regulators will apply when assessing whether a 24-hour freeze obligation was met.

CNMR and PNMR: Mandatory Reporting to the FIU

Once a freeze is imposed, the regulated entity must file a mandatory report with the UAE Financial Intelligence Unit (FIU), which operates the goAML platform. Two distinct report types are relevant to EOCN matches. The Customer Negative Match Report (CNMR) is filed when a customer, beneficial owner, or authorised signatory matches the EOCN LTL or CFP list and assets have been frozen. The Positive Name Match Report (PNMR) — terminology used in certain CBUAE and EOCN guidance documents, though Cabinet Resolution 134/2025 uses 'Funds Freeze Report' — is the report confirming that a freeze has been executed against assets of a designated person. In practice, compliance teams must understand that both report types may be required for the same match event: the CNMR records the identification of the match, and the Funds Freeze Report records the execution of the freeze action and the quantum of assets frozen.

Cabinet Resolution 134/2025 Article 43 specifies the minimum content of the Funds Freeze Report: the full name and identification details of the designated party; the EOCN list reference and designation date; the nature, type, and estimated value of all frozen assets; the date and time the freeze was imposed; any related accounts or economic resources identified; and the name and contact details of the reporting compliance officer. The report must be filed within 24 hours of the freeze being imposed — meaning that in a worst-case scenario, a compliance team has 24 hours from match identification to impose the freeze and a further 24 hours to file the report, a combined maximum of 48 hours from detection to FIU notification. In practice, the July 2025 EOCN Guidance expects simultaneous or near-simultaneous notification, and the FIU's goAML system allows provisional reports to be updated as further details are confirmed.

The CNMR obligation is distinct from the general Suspicious Transaction Report (STR) obligation under FDL 10/2025 Article 15. A positive EOCN match triggers the CNMR/Funds Freeze Report regime automatically — there is no discretionary suspicion threshold to cross. Conversely, a match that is resolved as a false positive (i.e., the screening alert relates to a different individual who shares a name with a listed party, confirmed by robust due diligence including identity document verification) does not require a CNMR, but the entity must document the false positive determination in its records and retain that documentation for five years under Cabinet Resolution 134/2025 Article 56. The false positive documentation must be sufficiently detailed to demonstrate, if challenged by a regulator, that the entity applied genuine analytical rigour rather than treating name-clearing as a box-ticking exercise.

A significant practical complication is the 'tipping off' prohibition under FDL 10/2025 Article 20. Once a CNMR has been filed or a freeze imposed, the regulated entity commits a criminal offence if it discloses to the designated party or any associated third party that a report has been filed or a freeze imposed. This creates a tension in relationship-managed banking and wealth management: the relationship manager may need to deflect customer inquiries about blocked transactions without revealing the true reason. The July 2025 EOCN Guidance suggests that standard 'technical system review' language may be used temporarily, but it cautions that prolonged evasion may itself create legal exposure. Legal advice should be sought promptly once a freeze is imposed in a relationship-managed context.

Building a Compliant EOCN Screening Programme: July 2025 Guidance Standards

The July 2025 EOCN Guidance represents the most granular regulatory articulation of what a compliant UAE local terrorist list screening programme must contain. It builds on the architecture of Cabinet Resolution 134/2025 and should be read as the regulator's interpretive standard — CBUAE, VARA, SCA and free zone regulators will measure screening programme adequacy against this guidance in supervisory reviews and enforcement investigations. The guidance identifies five core components: (i) list coverage and update frequency; (ii) name-matching algorithm and fuzzy-matching thresholds; (iii) alert management workflow and escalation timelines; (iv) false positive documentation; and (v) governance and testing.

On list coverage, the guidance requires screening against both the EOCN LTL and CFP list, the UN Security Council consolidated list (maintained under UNSCR 1267 and successor resolutions), and any other list mandated by the entity's sector regulator. For CBUAE-licensed institutions, this includes OFAC and EU lists only to the extent required by correspondent banking agreements or where the institution has US dollar or euro clearing exposure — the domestic mandate is limited to EOCN and UN lists. The EOCN lists are updated in real time via the EOCN's secure portal, and the July 2025 Guidance requires entities to implement automated list-update ingestion with a maximum four-hour lag from EOCN publication to screening system activation. Manual update processes — where a compliance officer downloads a spreadsheet and uploads it to the screening system — are explicitly identified as inadequate for any entity with daily transaction volumes above AED 500,000.

Name-matching standards are a recurring source of regulatory findings. The July 2025 Guidance specifies that screening systems must handle: Arabic and transliterated Latin script variants; common spelling variations (including Qaddafi/Gaddafi type variations); aliases and known alternative names as published on the EOCN list entry; and date-of-birth and national identification number matching where such data is held by the entity. A system that matches only on exact string equivalence will produce systematic under-detection and will not satisfy the standard. The guidance recommends a minimum fuzzy-matching sensitivity threshold that captures name variants within two standard character transpositions, while acknowledging that higher sensitivity produces more false positives requiring manual review. Calibration of the threshold is a governance decision that must be documented, reviewed annually, and approved by the Money Laundering Reporting Officer (MLRO) or equivalent.

Governance requirements under Cabinet Resolution 134/2025 Article 38 include an annual end-to-end test of the screening programme using a sample of designated names, with the results reported to the board or equivalent senior governance body. The July 2025 Guidance recommends quarterly sampling for high-risk institutions and bi-annual sampling for lower-risk DNFBPs. The MLRO must certify annually that the screening programme meets regulatory standards, and this certification is a document that regulators may request in any supervisory review or investigation. Under FDL 10/2025's personal liability provisions, a false certification by an MLRO who knew or ought to have known that the programme was deficient is not merely a regulatory matter — it can constitute the basis for criminal prosecution.

Penalties, Personal Liability, and Enforcement Exposure

FDL 10/2025 introduced a materially more severe penalty regime than its predecessor. Article 49 sets administrative fines for AML/CFT/CPF violations at up to AED 100 million per violation — a fivefold increase from the AED 20 million maximum under FDL 20/2018. Fines are per-violation, not per-investigation, meaning that a systematic screening failure affecting hundreds of transactions can generate aggregate exposure that renders the single-transaction maximum misleading as a guide to institutional risk. The CBUAE — operating under CBUAE Law No. 6/2025, which sets a maximum administrative fine of AED 1 billion for the most serious institutional breaches — has a separate penalty track for licensed financial institutions that sits alongside FDL 10/2025's penalties and is not capped by them.

The personal criminal liability provisions of FDL 10/2025 Article 51 are the most significant new risk for executives and board members. Where a legal person commits a violation of the AML/CFT/CPF regime, the senior manager responsible for the relevant function is personally criminally liable if it is established that the violation occurred with their knowledge or as a result of their gross negligence. 'Senior manager' is defined to include the CEO, CFO, MLRO, Chief Compliance Officer, and any member of senior management with direct oversight of AML/CFT controls. Conviction can result in imprisonment for a term proportionate to the underlying offence under the Penal Code (FDL 31/2021) and a personal fine. The removal of the statute of limitations for money laundering under FDL 10/2025 Article 48 means that past screening failures — even those predating the 2025 reforms — are not time-barred where the underlying conduct involved money laundering as a predicate.

Enforcement in the context of EOCN screening failures follows a well-established pattern in UAE regulatory practice. The CBUAE's Financial Intelligence and Supervision Department (FISD) typically initiates investigation through supervisory examination findings or an FIU referral. Where a regulated entity has failed to impose a 24-hour freeze, the CBUAE will assess: (i) whether the failure was systemic (screening programme gap) or isolated (human error in an otherwise adequate programme); (ii) whether the entity self-reported the failure; (iii) the value of assets that should have been frozen; and (iv) whether any economic benefit was actually received by the designated party as a result of the failure. Self-reporting and voluntary remediation are consistently treated as mitigating factors. Entities that discover a past screening failure should take immediate legal advice before making any disclosure, to ensure that the disclosure is structured to maximise the mitigating credit available while accurately representing the facts.

Criminal prosecution for terrorist financing under FDL 31/2021 (Penal Code) Articles 84–89 carries potential life imprisonment for the most serious conduct. The threshold for criminal prosecution — as opposed to administrative enforcement — is typically reserved for cases where there is evidence of deliberate facilitation rather than negligent failure. However, the July 2025 EOCN Guidance makes explicit that repeated administrative violations, or violations accompanied by concealment or obstruction, will be referred to the Public Prosecution. Under Federal Decree-Law 38/2022 (Criminal Procedure Law) as amended by FDL 45/2023, the Public Prosecution has broad investigative powers including the ability to freeze assets of the institution or its officers pending investigation, which can itself create acute business continuity risk before any charge is laid.

Strategic Considerations: Cross-Border Complexity, Unfreezing, and De-listing

Entities with cross-border operations face the additional complexity of managing simultaneous EOCN obligations and obligations under other jurisdictions' sanctions regimes. A freeze imposed under an EOCN designation is a UAE domestic legal obligation and cannot be lifted merely because the designated party is not listed by OFAC or the EU. The converse is also true: a party designated by OFAC but not by the EOCN or UN does not trigger the UAE domestic freeze obligation (though it may trigger obligations under correspondent banking agreements or VARA Rulebook compliance requirements for institutions with US dollar exposure). Maintaining a clear analytical separation between EOCN obligations and extraterritorial sanctions compliance is essential to avoid both under-enforcement (failing to freeze an EOCN-listed party because they are not on the OFAC SDN list) and over-enforcement (freezing an OFAC-only listed party under the wrong domestic legal basis, creating unjustified liability exposure).

The process for challenging an EOCN designation — whether by the designated party or by an entity seeking to resolve a freeze — is governed by Cabinet Resolution 134/2025 Article 46 and the EOCN's administrative review procedures. A designated party may submit a petition to the EOCN for review of their listing, supported by evidence that the designation criteria are not met. The review process is not subject to a statutory deadline in the published guidance, and in practice reviews can extend over several months. During this period, the freeze remains in force. Where a regulated entity is holding frozen assets and needs certainty about its own legal position — for example, regarding its obligation to continue holding assets for a party whose designation is under challenge — it should seek FIU direction in writing under Cabinet Resolution 134/2025 Article 43(5).

The interaction between EOCN freezes and insolvency proceedings is an emerging area of complexity under Federal Decree-Law 51/2023 (Bankruptcy Law). Where a company subject to an EOCN freeze enters bankruptcy proceedings before the Bankruptcy Court established under FDL 51/2023, a question arises as to whether the automatic stay provisions of the Bankruptcy Law can override a regulatory freeze obligation. UAE courts have not yet produced definitive authority on this intersection, but the weight of regulatory opinion (consistent with international practice) is that the EOCN freeze, as a public law obligation, takes precedence over the civil insolvency stay. Entities facing this scenario require specialist advice at the junction of financial crime law and insolvency practice.

For HNW individuals and family offices with UAE-based asset management arrangements, the practical risk of being caught by an EOCN screening match — even as a false positive — is significant. The reputational and operational consequences of a freeze, even one that is subsequently resolved as a false positive, can include disruption to real estate transactions, disruption to corporate restructurings, and damage to banking relationships. Proactive engagement with the institution's compliance function before a transaction — particularly where the individual or entity involved has a name that shares characteristics with known designees, or has business connections to jurisdictions with elevated sanctions risk — can reduce the risk of avoidable disruption.

Practical checklist

  • Screen all customers, beneficial owners (25% threshold under Cabinet Decision 109/2023), and transaction counterparties against the EOCN LTL and CFP lists at onboarding and continuously.
  • Implement real-time or maximum four-hour lag automated EOCN list ingestion — batch overnight screening is non-compliant for high-volume entities under July 2025 EOCN Guidance.
  • Impose asset freeze within 24 hours of identifying an EOCN match, covering all accounts, assets, and pending transactions under FDL 10/2025 Article 17.
  • File a Funds Freeze Report (CNMR/PNMR) on goAML within 24 hours of executing the freeze, with full asset and designation details per Cabinet Resolution 134/2025 Article 43.
  • Document and retain all false positive determinations for five years, with sufficient analysis to withstand regulatory scrutiny under Cabinet Resolution 134/2025 Article 56.
  • Ensure MLRO certifies screening programme adequacy annually and conduct end-to-end testing using designated names per July 2025 EOCN Guidance.
  • Do not disclose to the designated party or associated third parties that a freeze or report has been filed — tipping off is a criminal offence under FDL 10/2025 Article 20.
  • Obtain immediate legal advice before self-reporting a past screening failure to structure the disclosure for maximum regulatory mitigation.

What we'd typically advise

When a potential EOCN match surfaces — whether in a client onboarding, a live transaction, or a retrospective screening exercise — the first priority is to secure the legal position before taking any action that could be characterised as facilitating a designated party or, conversely, as an unlawful freeze of a legitimate customer's assets. The 24-hour clock under FDL 10/2025 is unforgiving, but acting precipitately on a false positive creates its own liability. We would typically advise engaging specialist legal counsel within the first two to four hours of a match alert, running an expedited identity verification process in parallel, and preparing both the freeze mechanism and the goAML report concurrently so that either can be executed at a moment's notice. Where personal manager liability is in scope — particularly for MLROs and CCOs of CBUAE-licensed institutions — early legal advice is not a procedural comfort; it is a substantive protection.

Frequently asked questions

What happens if our screening system produces a false positive match against the EOCN list — do we still have to freeze the customer's assets?

No — the freeze obligation under FDL 10/2025 Article 17 is triggered by a genuine match, not a screening alert. However, the 24-hour clock creates pressure: if you cannot conclusively resolve the alert as a false positive within 24 hours using robust identity verification (full name, date of birth, national ID, and any aliases), the prudent position is to impose a precautionary freeze while the analysis is completed and to seek FIU direction. Every false positive must be fully documented and retained for five years under Cabinet Resolution 134/2025 Article 56. Do not simply dismiss an alert without a written, evidenced determination.

We are a law firm. Does UAE local terrorist list screening apply to us, and if so, for which client activities?

Yes, but only for specified activities. Under FDL 10/2025 Article 2 and Cabinet Resolution 134/2025, the obligation applies when you are engaged in: real estate transactions; management of client funds or accounts; incorporation, management, or administration of legal persons or arrangements; and trust or fiduciary services. Pure litigation or legal advisory retainers do not trigger the screening obligation, but the moment you hold client money, manage a property transfer, or form a company for a client, you are a DNFBP subject to the full screening framework, including the 24-hour freeze duty and CNMR reporting.

What is the difference between the EOCN list and the UN Security Council consolidated list, and do we need to screen against both?

They are legally separate instruments. The EOCN Local Terrorist List (LTL) and CFP list are domestic UAE designations administered by EOCN under the UAE's autonomous designation authority. The UN list is maintained under UNSCR 1267 and successor resolutions and is incorporated into UAE law by separate treaty obligation. A person may appear on one but not the other. Cabinet Resolution 134/2025 requires screening against both — and against any additional list mandated by your sector regulator. Screening against the UN list only is a systemic compliance gap that regulators have cited in enforcement actions.

Can we be criminally liable as individuals — not just as a firm — for a screening failure?

Yes. FDL 10/2025 Article 51 establishes personal criminal liability for senior managers — including CEOs, CFOs, MLROs, and CCOs — where a violation occurs with their knowledge or as a result of their gross negligence. Conviction can result in imprisonment under FDL 31/2021 (Penal Code) and a personal fine. The threshold for individual prosecution is 'knowledge or gross negligence', which regulators have interpreted broadly in supervisory guidance. A documented, functioning screening programme that the individual actively oversees is the primary factual defence.

We are a VARA-licensed virtual asset service provider. Do we have to screen against the EOCN lists on every transaction?

Yes. VARA Rulebooks 2.0 (May 2025) expressly incorporate EOCN list screening as a mandatory AML programme requirement for all licensed entities. The Travel Rule under Cabinet Resolution 134/2025 applies at AED 3,500 per transaction, requiring originator and beneficiary information to be transmitted and screened against EOCN and UN lists. Screening must cover the wallet owner or controller, not merely the wallet address. A failure to detect an EOCN-designated beneficiary because your screening tool did not include the EOCN list exposes you to enforcement under both VARA's supervisory powers and FDL 10/2025's penalty regime.

How does a designated party challenge their listing on the EOCN LTL, and what happens to frozen assets during the review?

Under Cabinet Resolution 134/2025 Article 46, a designated party may petition the EOCN for administrative review of their listing, supported by evidence that the designation criteria are not satisfied. There is no statutory deadline for the review, and freezes remain in force throughout. Regulated entities holding frozen assets should obtain written FIU direction under Article 43(5) regarding their ongoing obligations during a pending review. Legal representation in the review process is permitted and is strongly advisable given the absence of a fixed timeline and the consequences of continued asset immobilisation.

What are the maximum penalties for failing to screen against the EOCN lists or failing to impose a 24-hour freeze?

Under FDL 10/2025 Article 49, administrative fines reach AED 100 million per violation. For CBUAE-licensed institutions, CBUAE Law No. 6/2025 provides for a separate administrative fine of up to AED 1 billion for the most serious institutional breaches. Fines are per-violation, so systematic failures across multiple transactions produce cumulative exposure. Criminal prosecution under FDL 31/2021 for financing terrorism carries potential life imprisonment for the most serious conduct. Regulators treat self-reporting and voluntary remediation as mitigation, but this credit is substantially reduced if the failure is discovered through supervisory examination rather than disclosed proactively.

Our institution discovered a screening gap from before FDL 10/2025 came into force in October 2025. Are we still at risk?

Potentially, yes. FDL 10/2025 Article 48 removes the statute of limitations for money laundering offences. Where a past screening failure involved a transaction that constituted or facilitated money laundering, there is no time bar. For pure CFT screening failures without a money laundering dimension, the limitation position is more nuanced and requires analysis under FDL 31/2021. More importantly, the discovery of a past gap is itself a material event that should be reported to the FIU and the relevant regulator — failing to report a known historical gap after it is discovered can constitute a fresh violation. Immediate legal advice is essential before any disclosure is made.

Related guides


Published 15 July 2026. General information only — not legal advice. Contact us for matter-specific advice.

Need this matter handled?

A partner can review the specifics and respond with a scoped engagement note within one working day.

Speak to us →