Corporate & Regulatory

Anti-Bribery for UAE Operations: Managing FCPA and UK Bribery Act Nexus

Corporate & Regulatory

What this guide covers

  1. The Tripartite Legal Framework: UAE, FCPA and UK Bribery Act
  2. UAE Bribery Offences: What FDL 31/2021 Actually Prohibits
  3. Where Gulf Business Practices Collide with Extraterritorial Law
  4. Building the 'Adequate Procedures' Defence for UAE Operations
  5. The AML/CFT Nexus: Bribery Proceeds and FDL 10/2025
  6. Responding to Investigations: UAE Process and Cross-Border Coordination
  7. Building a UAE-Calibrated ABC Compliance Programme: Strategic Considerations
  8. Practical checklist
  9. What we'd typically advise
  10. Frequently asked questions

Gulf commercial practice — facilitation payments, hospitality, agent commissions — routinely triggers US and UK extraterritorial anti-bribery jurisdiction. This guide maps the collision points, the compliance defences available, and the UAE regulatory framework executives and boards must navigate simultaneously.

Businesses operating in the UAE face a genuinely tripartite anti-corruption exposure. First, domestic UAE law: Federal Decree-Law 31/2021 (the Penal Code, in force 2 January 2022, as amended by FDL 36/2022) contains the primary bribery offences. Articles 234–239 criminalise active and passive bribery of public officials; Article 240 extends liability to bribery in the private sector. Critically, Article 241 imposes criminal liability on the legal person — the company itself — where the offence is committed by a representative, manager or employee for the company's benefit, with fines up to AED 500,000 and mandatory profit confiscation. The amended FDL 36/2022 tightened the sentencing bands and introduced enhanced penalties where the offender holds a position of public trust.

Second, the US Foreign Corrupt Practices Act (FCPA) applies to any 'issuer' (NYSE/NASDAQ-listed entity or SEC filer), any 'domestic concern' (US person or entity), and — critically for UAE-headquartered businesses — any foreign company that uses US instrumentalities: a USD wire through a New York correspondent bank, an email routed via a US server, or a meeting in New York. The Department of Justice and SEC jointly enforce the FCPA. The DOJ's Corporate Enforcement Policy (revised 2023) provides credit for voluntary self-disclosure, full cooperation and remediation, but the threshold for 'full cooperation' is exacting and includes proactive disclosure of implicated individuals.

Third, the UK Bribery Act 2010 (UKBA) applies extraterritorially on the basis of 'carrying on a business' in the UK — a test construed broadly by the SFO to include UK-registered subsidiaries, Lloyd's market placements, London banking relationships and even UK-domiciled beneficial owners. The UKBA's Section 7 'failure to prevent bribery' offence is strict liability for the corporate: the only complete defence is demonstrating 'adequate procedures'. Uniquely, the UKBA prohibits facilitation payments without exception, creating immediate tension with certain entrenched Gulf business practices that may be tolerated under local custom.

UAE businesses must therefore map each transaction against all three regimes simultaneously. A payment made entirely within the UAE, in AED, by a UAE company with no US or UK nexus, engages only FDL 31/2021. Add a London subsidiary, a USD clearing leg, or a UK national to the approval chain, and FCPA or UKBA jurisdiction may be triggered. The interaction between these regimes — and the divergence in what each prohibits — is where sophisticated compliance counsel is essential.

UAE Bribery Offences: What FDL 31/2021 Actually Prohibits

Under Federal Decree-Law 31/2021, bribery is divided into public-sector and private-sector variants. Articles 234–236 address bribery of UAE public officials: a 'bribe' is defined as any gift, benefit or advantage — whether financial or in kind — given or promised to induce an official to perform, delay or refrain from a duty. The definition is deliberately broad and captures indirect benefits channelled through intermediaries (Article 237). A public official who solicits a bribe commits the same offence as one who passively receives it. Sentences range from temporary imprisonment (up to 10 years in aggravated cases) to life imprisonment where the official is a judge or law-enforcement officer.

Private-sector bribery under Article 240 covers employees, managers and agents of private companies. This is significant: a procurement manager who accepts a kickback from a supplier, or a sales director who pays a commission to a customer's employee to secure a contract, is criminally exposed without any public official being involved. The company itself faces liability under Article 241 if the act was committed on its behalf. The AML nexus arises because the proceeds of bribery (being proceeds of a predicate offence) constitute money laundering if subsequently handled, concealed or invested — and Federal Decree-Law 10/2025 (in force 14 October 2025, repealing FDL 20/2018) removes any statute of limitations for money laundering, meaning historical bribery-derived assets remain exposed indefinitely.

An important nuance: FDL 31/2021 does not contain a facilitation payment exception. Small payments made to expedite routine government action — customs clearance, permit processing, licence renewal — are legally prohibited in the UAE, consistent with the UKBA's position but diverging from the FCPA's historical (and now narrowing) facilitation payment carve-out. Companies that have built 'facilitation' into their operational model should treat this as a red-flag item requiring urgent remediation across all three regimes.

Prosecutions in the UAE are handled by the Public Prosecution under Federal Decree-Law 38/2022 (the Criminal Procedure Law, in force 1 March 2023, as amended by FDL 45/2023). The Public Prosecution has broad investigative powers including asset freezing without prior court order at the investigation stage, telephone and electronic surveillance warrants, and cooperation with foreign authorities via Federal Law 39/2006 as amended by FDL 38/2023 on extradition and mutual legal assistance. The UAE's removal from FATF grey-listing in February 2024 — and its anticipated mutual evaluation in 2026 — has materially increased the appetite and capability of UAE enforcement authorities to pursue complex bribery cases.

Where Gulf Business Practices Collide with Extraterritorial Law

Several commercial practices embedded in Gulf business culture create acute FCPA and UKBA exposure for international businesses operating in the UAE. The first is the wasta-intermediary structure: engaging a local agent or 'relationship partner' — often a well-connected national — on a success-fee or retainer arrangement. This is lawful under UAE commercial agency law (Federal Law 18/1981 as amended) when genuinely providing legitimate services. However, where the agent's value derives from personal relationships with government decision-makers, and where the fee is disproportionate to any legitimate service rendered, US and UK prosecutors will scrutinise whether the payment is a conduit for bribing a public official. The FCPA 'knowing' standard catches wilful blindness: a company that deliberately avoids learning what its agent does with a commission is treated as knowing the truth.

The second collision point is government-related hospitality and gifts. UAE business culture places significant weight on relationship hospitality: iftar dinners, private aviation, luxury hotel accommodations during trade visits, gifts at Eid. Under FDL 31/2021, gifts to public officials are prohibited regardless of value if intended to influence conduct. The FCPA and UKBA each permit 'reasonable and bona fide' hospitality but apply a facts-and-circumstances test focused on intent and proportionality. A DIFC-based financial institution that flies a UAE regulator's team to a London conference, covers five-star accommodation and provides corporate entertainment, has created a potential UKBA Section 6 (bribery of a foreign public official) exposure even if the regulator is not UAE-based.

Third, joint ventures and minority shareholdings with state-owned enterprises (SOEs) present systemic risk. The UAE's economic fabric includes numerous SOEs — in energy, real estate, ports and defence — whose employees may be treated as 'foreign officials' under the FCPA. A JV partner's corrupt payment can be attributed to a US-nexus co-venturer if the company ignored red flags, failed to conduct adequate due diligence, or shared in the benefit. FCPA enforcement has repeatedly targeted passive beneficiaries in JV structures.

Fourth, beneficial ownership opacity creates compliance risk at the onboarding stage. Cabinet Decision 109/2023 imposes a 25% beneficial ownership disclosure threshold for UAE companies. However, international counterparties may present structures — particularly those involving Gulf holding companies layered through non-cooperative jurisdictions — where the true ultimate beneficial owner is an embedded public official or their family member. Engaging such a counterparty without adequate due diligence triggers FCPA/UKBA exposure and simultaneously breaches AML obligations under FDL 10/2025, which imposes enhanced due diligence requirements for high-risk relationships and personal liability on senior managers who approve non-compliant onboarding.

Building the 'Adequate Procedures' Defence for UAE Operations

The UK Bribery Act's Section 7 'failure to prevent' offence is strict liability: if an associated person bribes to obtain or retain business for a commercial organisation, the organisation is guilty unless it proves adequate procedures were in place to prevent bribery. The Ministry of Justice's six principles — proportionate procedures, top-level commitment, risk assessment, due diligence, communication and training, and monitoring and review — provide the framework. For UAE-operating businesses, each principle requires UAE-specific calibration, not a generic global policy imported from a London or New York headquarters.

A UAE-specific risk assessment must identify: the company's government-interface points (licensing, permitting, customs, procurement); its agent and intermediary network with granular information on beneficial ownership verified against Cabinet Decision 109/2023 registers; its JV and SOE relationships; its hospitality and gifts spend by recipient category; and its cross-border payment flows, particularly any USD-denominated transactions subject to FCPA jurisdiction. The risk assessment should be board-approved, documented and reviewed at least annually — or immediately following any material change in business model or geographic footprint.

On due diligence, the adequate procedures standard requires proportionate investigation of business partners. For high-risk intermediaries — agents operating in regulated sectors, government-adjacent consultants, local sponsors — this means: verification of corporate registry records and beneficial ownership under Cabinet Decision 109/2023; politically exposed person (PEP) screening against OFAC, HMT and UAE Central Bank sanctions lists; contractual representations and warranties that no bribery has been or will be committed; audit rights; and termination triggers. The AML framework under FDL 10/2025 imposes parallel enhanced due diligence obligations on financial institutions and Designated Non-Financial Businesses and Professions (DNFBPs), and Cabinet Resolution 134/2025 (Executive Regulations, in force 14 December 2025) provides the operational methodology. Companies in regulated sectors must align their ABC due diligence with their AML/CFT EDD framework to avoid duplicating effort while meeting both standards.

Training and communication must be genuinely UAE-contextualised: English-only e-learning modules designed for Western jurisdictions will not satisfy the adequate procedures defence for a business whose frontline staff are Arabic-speaking operations managers navigating government relationships daily. Senior management must visibly champion the programme — 'tone from the top' is not satisfied by a signed policy statement; it requires active, documented engagement. Critically, the monitoring and review element requires that compliance teams have access to data: payment data, expense approvals, agent commission payments, gifts and hospitality registers. For listed entities or regulated firms, the Federal Decree-Law 32/2025 (establishing the CMA from 1 January 2026) and its related market conduct framework under FDL 33/2025 impose additional governance obligations that interface with ABC compliance requirements.

The AML/CFT Nexus: Bribery Proceeds and FDL 10/2025

The intersection of bribery and money laundering is not merely conceptual in the UAE: it is a live enforcement priority. Federal Decree-Law 10/2025, in force 14 October 2025 (repealing FDL 20/2018 and its amendments), significantly expands the UAE's AML/CFT/CPF architecture. Bribery and corruption have always been predicate offences for money laundering under UAE law; FDL 10/2025 reinforces this by adding tax evasion and proliferation financing as predicates, expanding the scope of reporting obligations, and introducing personal criminal liability for senior managers and compliance officers who fail to implement adequate systems — mirroring the UKBA's corporate liability model but extending it to individuals within the institution.

The practical implication is severe: a bribe paid by a UAE company to secure a government contract generates tainted proceeds — the contract revenue — that are themselves proceeds of crime under FDL 10/2025. The company's finance team that processes those revenues, the treasury that invests them, the bank that holds the account — each may have reporting and freezing obligations once red flags arise. Cabinet Resolution 134/2025 (Executive Regulations) specifies the Travel Rule threshold for virtual assets at AED 3,500, relevant where bribery-derived funds are converted to crypto. There is no statute of limitations for money laundering under FDL 10/2025, meaning proceeds traceable to historical bribery remain permanently exposed.

The administrative penalty regime under FDL 10/2025 imposes fines up to AED 100 million on institutions, and the Central Bank (CBUAE) under Law No. 6/2025 may impose administrative fines up to AED 1 billion for systemic compliance failures. These figures are not theoretical: since the UAE's FATF grey-listing removal in February 2024, enforcement activity has intensified materially, and the 2026 mutual evaluation creates strong institutional incentive for continued rigorous enforcement. Financial institutions and DNFBPs operating in the UAE should treat anti-bribery controls as an integral component of their AML/CFT framework — not a separate programme — because the predicate-offence nexus means a failure in one is a failure in both.

Responding to Investigations: UAE Process and Cross-Border Coordination

When an internal investigation reveals potential bribery, the immediate priority is legal privilege protection and evidence preservation. Under Federal Decree-Law 38/2022 (Criminal Procedure Law, in force 1 March 2023), the UAE Public Prosecution may issue search warrants covering electronic devices and business premises with minimal prior notice. Unlike common law jurisdictions, UAE criminal procedure does not recognise a fully equivalent 'legal professional privilege' doctrine in the same terms, though correspondence between a client and their licensed legal counsel is afforded protection in practice. Retaining UAE-qualified counsel immediately upon discovery of a potential offence is essential to structure any investigation within the best available privilege framework.

The voluntary disclosure question is multi-dimensional. Under the FCPA, the DOJ's Corporate Enforcement Policy provides a presumption of declination (subject to conditions) for companies that voluntarily disclose, fully cooperate and remediate. Under the UKBA, the SFO's self-reporting guidance offers the prospect of a civil settlement via Deferred Prosecution Agreement rather than prosecution. Neither guarantee is absolute, and both require disclosing implicated individuals — which creates tensions with UAE employment law, data protection obligations under Federal Decree-Law 45/2021 (PDPL), and the interests of cooperating witnesses. Critically, voluntary disclosure to a US or UK authority may trigger a UAE Public Prosecution investigation: the MLA framework under Federal Law 39/2006 as amended by FDL 38/2023 enables foreign authorities to request UAE cooperation, and conversely UAE authorities may independently pursue matters publicised in foreign proceedings.

Asset-freezing is a live risk at every stage. The UAE Public Prosecution may freeze assets without prior court order during investigation under FDL 38/2022. In parallel, civil claimants and foreign enforcement authorities may seek worldwide freezing orders via the DIFC Courts under DIFC Court Law 2/2025 — which confirmed the court's jurisdiction to grant worldwide freezing orders in support of foreign proceedings without any requirement for a UAE-sited asset nexus, a position reinforced by the ADGM in A17 v B17 [2025]. This means a company under investigation in London or Washington may simultaneously face a Mareva injunction from the DIFC Courts freezing its global assets at the request of a foreign claimant or regulatory authority.

The investigation response must therefore be coordinated simultaneously across UAE counsel, US FCPA counsel and UK Bribery Act counsel from the outset. Factual development, privilege decisions, interview strategies and disclosure decisions in one jurisdiction directly affect exposure in the others. Board-level oversight of the investigation — with properly documented decision-making — is both a governance requirement and a mitigation factor recognised by enforcement agencies assessing cooperation credit.

Building a UAE-Calibrated ABC Compliance Programme: Strategic Considerations

An effective anti-bribery and corruption (ABC) programme for a UAE-operating business is not a document exercise. Enforcement agencies — the DOJ, SFO and UAE Public Prosecution — assess whether a compliance programme is 'operationally effective': whether it actually prevented, detected or responded to misconduct, not merely whether policies existed on paper. The DOJ's 2023 Evaluation of Corporate Compliance Programs guidance requires prosecutors to assess whether the programme was 'adequately resourced and empowered to function effectively.' For UAE operations, this means the compliance function must have genuine authority to halt transactions, reject business partner relationships and escalate to the board — and must be seen to exercise that authority.

The third-party risk management framework is the highest-priority component for UAE operations given the prevalence of agent and intermediary structures. A tiered due diligence model — with enhanced scrutiny proportionate to government interface, transaction value, jurisdiction risk and beneficial ownership complexity — should be implemented and auditable. Contractual protections must be enforceable under UAE law: anti-bribery representations should be governed by UAE law (or DIFC/ADGM law where the counterparty is DIFC/ADGM-registered), with termination rights, audit rights and clawback provisions. Agents operating under the UAE Commercial Agency framework (Federal Law 18/1981) are difficult to terminate without cause, creating an additional commercial complexity that should be assessed at the contracting stage.

For publicly listed entities or those seeking to list on the Abu Dhabi Securities Exchange or Dubai Financial Market — both of which will fall under the regulatory oversight of the new Capital Markets Authority (CMA) established by Federal Decree-Law 32/2025 from 1 January 2026 — the corporate governance standards applicable under FDL 32/2025 and the market conduct offences codified in FDL 33/2025 (with penalties up to AED 200 million) create an additional compliance layer. Board audit committees should specifically consider whether existing ABC controls satisfy the governance standards required of listed companies under the new CMA framework.

Finally, whistleblower and speak-up infrastructure must be UAE-specific. Anonymous hotlines, non-retaliation policies and escalation procedures must operate in a legal environment where UAE employment law (Federal Decree-Law 33/2021 as amended by FDL 21/2024) governs the employment relationship and where defamation and false reporting offences under FDL 31/2021 create genuine disincentives for employees to report concerns. Practical anonymisation measures, clear non-retaliation commitments with contractual force, and prompt, documented investigation of all reports are essential both to detect misconduct early and to demonstrate operational effectiveness to enforcement agencies.

Practical checklist

  • Map every USD-denominated payment flow and UK-nexus relationship to assess FCPA/UKBA jurisdiction.
  • Verify beneficial ownership of all agents and JV partners against Cabinet Decision 109/2023 registers.
  • Ensure gifts and hospitality policy expressly prohibits payments to UAE public officials under FDL 31/2021.
  • Align ABC third-party due diligence with AML enhanced due diligence obligations under FDL 10/2025.
  • Document board-level approval of the annual ABC risk assessment and any material risk exceptions.
  • Implement Arabic-language training for operations staff with government-interface responsibilities.
  • Review all commercial agency agreements for anti-bribery representations, audit rights and termination triggers.
  • Establish an investigation-response protocol identifying UAE, US and UK counsel activation triggers simultaneously.

What we'd typically advise

Our standard advice to boards and GCs operating across the Gulf is to treat FCPA, UKBA and FDL 31/2021 exposure as a single integrated risk — not three separate compliance workstreams. The most dangerous position is a company that has a US-standard FCPA policy, a UK-standard UKBA policy, and a UAE-law policy, but no mechanism to identify that a single transaction engages all three simultaneously.

We typically recommend beginning with a UAE-specific risk assessment that maps government-interface points, intermediary structures and payment flows against the jurisdictional triggers of each regime. Where that assessment identifies high-risk third-party relationships or historic payment patterns that are difficult to justify under the adequacy standard, early legal advice — protected by privilege from the outset — is far preferable to managing enforcement consequences after the fact. The removal of any statute of limitations for money laundering under FDL 10/2025 means historical exposure does not diminish with time.

Frequently asked questions

We are a UAE-incorporated company with no US or UK operations. Does the FCPA or UK Bribery Act apply to us?

Potentially yes, despite your UAE incorporation. The FCPA applies if you use US instrumentalities — including USD wire transfers clearing through US correspondent banks or US-hosted email servers — in furtherance of a corrupt payment. The UKBA applies if you 'carry on a business' in the UK, which the SFO has interpreted broadly to include UK-registered subsidiaries, Lloyd's placements and UK-domiciled beneficial owners. Even without these nexus points, any future transaction with a US or UK counterparty will require demonstrating an effective compliance programme. A UAE-only analysis under FDL 31/2021 is insufficient for most internationally operating businesses.

Are facilitation payments — small payments to speed up customs clearance or permit processing — permissible in the UAE?

No. FDL 31/2021 does not contain a facilitation payment exception: any payment to a public official to perform a duty they are already obliged to perform is a bribe under Articles 234–237. This is consistent with the UK Bribery Act 2010, which also prohibits facilitation payments without exception. The FCPA historically had a narrow carve-out for facilitation payments, but DOJ enforcement has progressively narrowed this and it provides no protection against UAE or UK law. Companies should treat facilitation payments as prohibited under all three regimes and remediate any operational practices that rely on them.

Our local agent is very well-connected and is paid a 15% success fee on government contracts. Is this legally problematic?

A success fee payable to a government-connected agent is one of the highest-risk structures under both the FCPA and UKBA. The key questions are: what legitimate services does the agent actually perform; is the fee proportionate to those services; and is there evidence that the agent is passing any portion to a government official? Wilful blindness — deliberately not asking these questions — is treated as knowledge under the FCPA. Under the UKBA, the company is strictly liable for an associated person's bribery unless adequate procedures were in place. We would recommend conducting enhanced due diligence on the agent, verifying beneficial ownership under Cabinet Decision 109/2023, restructuring the fee arrangement to a reasonable retainer for documented services, and implementing contractual anti-bribery obligations with audit rights.

If we discover a potential bribery issue internally, should we self-report to the UAE Public Prosecution, the DOJ or the SFO?

This is one of the most consequential decisions in any bribery investigation and must be made with coordinated UAE, US and UK counsel. Voluntary disclosure to the DOJ under its Corporate Enforcement Policy may generate a presumption of declination or reduced penalties, but requires proactive identification of individuals and full cooperation. SFO self-reporting may lead to a civil DPA rather than prosecution. Critically, disclosure to a foreign authority may itself prompt a UAE Public Prosecution investigation via the MLA framework under Federal Law 39/2006 as amended by FDL 38/2023. There is no universally correct answer: the decision depends on the nature of the conduct, the jurisdictions engaged, the evidence, and the company's risk profile. Structured legal privilege from day one of the investigation is essential to preserve strategic optionality.

Can the DIFC Courts freeze our assets globally if we are under investigation abroad?

Yes. Under DIFC Court Law 2/2025, the DIFC Courts may grant worldwide freezing orders in support of foreign proceedings without requiring that any asset be located in the UAE or DIFC. This jurisdiction was confirmed and exercised in A17 v B17 [2025]. The ADGM Courts take an equivalent position. This means a company under DOJ, SFO or foreign civil investigation may face simultaneous asset-freezing applications in the DIFC or ADGM at the request of a claimant or foreign authority — a risk that makes early legal advice and proactive case management essential from the moment an investigation becomes foreseeable.

Does bribery create money laundering exposure under UAE law, and for how long?

Yes, and indefinitely. Bribery is a predicate offence for money laundering under Federal Decree-Law 10/2025. Proceeds of a bribery offence — including contract revenue, fee income or any other benefit derived from the corrupt conduct — constitute criminal proceeds if subsequently handled, concealed or invested. FDL 10/2025 expressly removes any statute of limitations for money laundering, meaning assets traceable to historical bribery remain permanently exposed to confiscation proceedings. Senior managers who approve or fail to prevent the handling of such proceeds face personal criminal liability under FDL 10/2025. The administrative penalty for institutional failures is up to AED 100 million; CBUAE may impose fines up to AED 1 billion under Law No. 6/2025.

We are a financial institution onboarding a UAE company with complex ownership. What are our obligations if a beneficial owner turns out to be a public official?

Under Federal Decree-Law 10/2025 and Cabinet Resolution 134/2025, beneficial ownership must be verified at onboarding using the 25% threshold under Cabinet Decision 109/2023. Where a beneficial owner is a politically exposed person (PEP) — including a UAE public official or their family member — enhanced due diligence is mandatory: source of wealth verification, senior management approval, and ongoing monitoring. Onboarding a relationship where a public official has an undisclosed beneficial interest without EDD creates AML liability for the institution and potential complicity in any underlying bribery offence. Under FDL 10/2025, the compliance officer responsible may face personal criminal liability if the failure is attributable to their conduct. The no-limitation period for ML means this exposure does not diminish over time.

What governance steps should our board take to satisfy the 'adequate procedures' defence under the UK Bribery Act for our UAE operations?

The board must demonstrate top-level commitment that is active and documented, not merely symbolic. This means: board approval of a UAE-specific risk assessment (reviewed at least annually); a compliance function with genuine authority and adequate resources, reporting directly to audit committee; documented board consideration of high-risk third-party relationships and any approved exceptions; a whistleblower mechanism with non-retaliation protections enforceable under UAE employment law (FDL 33/2021); and periodic external review of the programme's operational effectiveness. The SFO and DOJ both assess whether compliance is 'operationally effective' at the time of the offence — a policy document without evidence of implementation carries little weight. Board minutes, audit committee reports and compliance function KPIs are the contemporaneous evidence that matters.

Related guides


Published 15 July 2026. General information only — not legal advice. Contact us for matter-specific advice.

Need this matter handled?

A partner can review the specifics and respond with a scoped engagement note within one working day.

Speak to us →