AML & Financial Crime

goAML and STR Filing: A Reporting-Entity Playbook

AML & Financial Crime

What this guide covers

  1. The Current Legal Framework: FDL 10/2025 and Cabinet Resolution 134/2025
  2. Reporting Entities: Who Is Caught by the Obligation
  3. The STR Trigger: What Constitutes a Suspicion
  4. Step-by-Step: Filing a goAML Suspicious Transaction Report in the UAE
  5. The Cost of Non-Filing: Criminal, Administrative, and Reputational Exposure
  6. Strategic Considerations: Managing the STR Process Without Tipping Off or Prejudicing the Business
  7. Cross-Border Dimensions: MLA, Freezing Orders, and the Post-Grey-List Environment
  8. Practical checklist
  9. What we'd typically advise
  10. Frequently asked questions

Filing a goAML suspicious transaction report in the UAE is a legal obligation carrying criminal and administrative consequences for failure. This playbook distils the current framework under Federal Decree-Law 10/2025 and Cabinet Resolution 134/2025 into actionable guidance for compliance officers, GCs, and boards.

The cornerstone of UAE anti-money laundering obligations is Federal Decree-Law No. 10 of 2025 on Anti-Money Laundering, Combating the Financing of Terrorism and Financing of Illegal Organisations, which entered into force on 14 October 2025 and entirely repealed Federal Decree-Law No. 20 of 2018. The implementing rules are contained in Cabinet Resolution No. 134 of 2025, effective 14 December 2025. Any compliance programme, STR policy, or board training that continues to reference FDL 20/2018 is legally deficient and creates regulatory exposure — practitioners must update their frameworks urgently.

FDL 10/2025 makes three structural enhancements of immediate practical significance. First, it formally designates proliferation financing and tax evasion as predicate offences, meaning that transactions connected to sanctions evasion or undeclared offshore assets now independently trigger the STR obligation. Second, it introduces personal liability for senior managers and compliance officers where failures are attributable to their negligence or wilful blindness — not merely to the institution. Third, it raises the ceiling on administrative fines from AED 5 million to AED 100 million per violation, with no statute of limitations on money laundering prosecutions.

The supervisory architecture remains divided: the Central Bank of the UAE (CBUAE) under Law No. 6/2025 supervises licensed financial institutions and may impose administrative fines up to AED 1 billion; the Financial Intelligence Unit (FIU) — a department of the Central Bank — receives and analyses all STRs and SARs through the goAML platform; and the Anti-Money Laundering and Suspicious Cases Unit (AMLSCU) coordinates with law enforcement. DNFBPs (designated non-financial businesses and professions) fall under sector-specific supervisors including the CBUAE, VARA, and the Ministry of Economy's DNFBP supervision unit.

For DIFC and ADGM entities, the DFSA and FSRA apply equivalent STR obligations drawing on their own rulebooks, but both regulators require reporting to the UAE FIU via goAML — the platform obligation is universal. Crypto asset service providers licensed by VARA are expressly covered by Cabinet Resolution 134/2025, including the Travel Rule threshold of AED 3,500 for virtual asset transfers, below which simplified due diligence may apply but above which full transaction monitoring and potential STR filing is required.

Reporting Entities: Who Is Caught by the Obligation

Under FDL 10/2025, the obligation to file a Suspicious Transaction Report (STR) — sometimes called a Suspicious Activity Report (SAR) in FATF terminology — falls on all Reporting Entities as defined in Article 1. The category is broad and deliberately so. It encompasses: licensed banks and finance companies; exchange houses and payment service providers; insurance companies and insurance-related intermediaries; securities brokers and investment managers; virtual asset service providers (VASPs) regulated by VARA or a financial free zone authority; real estate brokers and developers receiving cash or virtual asset payments; dealers in precious metals and stones (DPMS) at or above the prescribed threshold; auditors, accountants, and tax advisers; lawyers and notaries when facilitating transactions (not when advising on litigation); company service providers; and trust and corporate service providers.

The critical threshold for DPMS under Cabinet Resolution 134/2025 is a cash transaction at or above AED 55,000 (equivalent), consistent with the prior regime. Above this level, the dealer becomes a reporting entity for that transaction and all linked activity. Real estate professionals must apply enhanced due diligence to all transactions involving legal persons and arrangements, consistent with the updated beneficial ownership rules under Cabinet Decision No. 109 of 2023, which applies a 25% shareholding or control test for UBO identification.

Lawyers deserve particular attention. The UAE follows the FATF gatekeeper model: legal professional privilege does not excuse an obligation to file an STR where a lawyer is facilitating a financial transaction — for example, holding client monies, structuring a corporate acquisition, or managing real estate transfers — rather than providing bona fide legal advice or representing a client in litigation. The distinction is fact-specific, and firms should have written protocols identifying which retainers engage the reporting obligation before the transaction closes, not after.

Free zone entities are not exempt. Whether incorporated in JAFZA, DMCC, ADGM, DIFC, or another free zone, entities conducting activities that fall within the definition of financial or DNFBP activity are obligated reporters. ADGM entities with FSRA authorisation file via goAML; DIFC entities with DFSA authorisation similarly file via goAML. The platform is the single channel — there is no alternative filing route.

The STR Trigger: What Constitutes a Suspicion

FDL 10/2025 does not define a monetary threshold below which the STR obligation disappears. The trigger is suspicion or reasonable grounds for suspicion that funds constitute proceeds of crime, are related to money laundering, terrorism financing, proliferation financing, or any predicate offence — including, now, tax evasion. Article 15 of FDL 10/2025 (read with Articles 12 and 13 of Cabinet Resolution 134/2025) requires a reporting entity to file an STR without delay upon forming that suspicion, regardless of transaction size, and regardless of whether the transaction has been completed or merely attempted.

Practically, suspicion is an objective standard assessed against what a reasonable compliance officer in that sector would conclude from available information. UAE supervisors and the FIU have published sector-specific typologies — most recently updated in 2024 following FATF's removal of the UAE from the grey list in February 2024 — that identify red-flag indicators. Common triggers include: customers who are reluctant to provide beneficial ownership information consistent with Cabinet Decision 109/2023; structuring of cash deposits below AED 55,000 to avoid DPMS thresholds; mismatches between declared business activity and transaction volumes; use of shell companies in high-risk jurisdictions; and virtual asset transactions that do not comply with the Travel Rule threshold under Cabinet Resolution 134/2025.

A frequent board-level misunderstanding is that STR filing requires certainty or proof of wrongdoing. It does not. The standard is suspicion — a lower bar deliberately calibrated to generate intelligence for the FIU. Waiting for internal legal sign-off until the threshold becomes certainty is a compliance failure and potentially a criminal offence under Article 22 of FDL 10/2025. Conversely, filing in good faith confers statutory protection: Article 23 of FDL 10/2025 provides that no civil, criminal, or disciplinary liability attaches to a reporting entity or its employees for filing an STR in good faith, even if the underlying suspicion later proves unfounded.

The predicate offence expansion to include tax evasion is particularly significant for corporate treasury and finance teams. Where a counterparty's transaction pattern suggests unreported income, offshore structures inconsistent with their UAE corporate tax profile under Federal Decree-Law No. 47/2022, or transfers that appear designed to disguise taxable revenue, the corporate tax context now independently triggers an AML suspicion that must be escalated to the MLRO and assessed for STR filing.

Step-by-Step: Filing a goAML Suspicious Transaction Report in the UAE

Step 1 — System registration. Every reporting entity must register on the goAML portal administered by the UAE FIU. Registration requires designation of a Money Laundering Reporting Officer (MLRO) whose credentials are enrolled in the system. Registration itself is a regulatory obligation under Cabinet Resolution 134/2025; operating as a reporting entity without goAML registration is an independent violation. DIFC and ADGM entities access the same national platform using DFSA/FSRA credentials as applicable.

Step 2 — Internal escalation. Upon identification of a red flag by any employee, the matter must be escalated to the MLRO in writing (email or a documented internal system entry is sufficient) without tipping off the customer. The tipping-off prohibition under Article 24 of FDL 10/2025 is absolute: communicating to the subject of a report — or to any third party — that an STR has been or may be filed is a criminal offence carrying imprisonment. The MLRO reviews the escalation, conducts a documented assessment (including any open-source or database checks on the subject), and decides within the required window whether to file or to close with documented reasoning.

Step 3 — Timeline for filing. Cabinet Resolution 134/2025 requires filing within two business days of the MLRO forming a suspicion, and in urgent cases — particularly where terrorism financing or proliferation financing is suspected — immediately and before any further processing of the transaction. There is no grace period for complex cases; if further time is required to gather information, a preliminary STR can be filed and supplemented. The two-business-day clock runs from the MLRO's assessment, not from initial staff identification — reinforcing the importance of prompt internal escalation.

Step 4 — Completing the goAML report. The STR form on the portal requires: entity and MLRO identification; subject person details (name, nationality, Emirates ID or passport, address, TRN if applicable); account and transaction details including dates, amounts, and currencies; the nature of the suspicion stated factually and without legal conclusions; supporting documentation uploads (KYC records, transaction records, correspondence); and identification of the predicate offence category. Under FDL 10/2025's expanded predicate list, the relevant category — whether ML, TF, PF, or tax evasion — must be selected. Incomplete or inaccurate reports do not satisfy the obligation and may constitute negligent filing. Step 5 — Post-filing conduct. Once an STR is filed, the reporting entity must preserve all related records for a minimum of five years under Article 18 of FDL 10/2025, maintain confidentiality, and cooperate with any FIU, AMLSCU, or law enforcement follow-up request. A financial institution served with a restraint or freezing order in connection with the reported transaction must comply immediately; the Public Prosecution may seek orders under Federal Decree-Law No. 38 of 2022 (Criminal Procedure Law, in force 1 March 2023, as amended by FDL 45/2023).

The Cost of Non-Filing: Criminal, Administrative, and Reputational Exposure

Failure to file an STR — whether deliberate or through inadequate systems — engages overlapping liability channels under the current framework. At the criminal level, Article 22 of FDL 10/2025 makes failure to report a suspicious transaction an offence. Where the failure is wilful, the individual MLRO and senior managers with supervisory responsibility face criminal prosecution. FDL 10/2025's introduction of personal manager liability means that a compliance committee that overruled a filing recommendation, or a board that failed to allocate adequate compliance resources, is no longer shielded by corporate form. Conviction can result in imprisonment and fines. Importantly, FDL 10/2025 removes the statute of limitations for money laundering offences, meaning historical non-filing cannot be time-barred.

At the administrative level, supervisors may impose fines of up to AED 100 million per violation under FDL 10/2025. The CBUAE, acting under Law No. 6/2025, can impose fines up to AED 1 billion on licensed financial institutions for systemic AML failures. In 2023 and 2024, the CBUAE imposed multi-million dirham fines on several exchange houses and a tier-2 bank for transaction monitoring deficiencies — a trend that will intensify given the UAE's 2026 FATF mutual evaluation cycle, for which domestic enforcement credibility is a central criterion. Supervisors may also suspend or revoke licences, remove approved persons, and issue public censures — all of which carry substantial reputational damage in a market where correspondent banking relationships depend on perceived compliance quality.

For DNFBPs, the Ministry of Economy's DNFBP supervision unit has been actively inspecting real estate brokers, gold dealers, and corporate service providers since 2022. Findings of inadequate STR policies — not merely zero-filing records — have resulted in warnings, fines, and referrals to professional regulators. Real estate developers who closed high-value transactions without adequate UBO verification under Cabinet Decision 109/2023 and without assessing whether an STR was warranted have faced retrospective scrutiny.

There is also a specific secondary liability risk: where a reporting entity processes a transaction that subsequently proves to be a money laundering transaction, and where the FIU can demonstrate that red flags were present and an STR should have been filed, the entity may face asset forfeiture proceedings in respect of fees or profits earned on that transaction. The Public Prosecution has broad asset-tracing powers under the Criminal Procedure Law (FDL 38/2022), and the courts have shown increasing willingness to issue restraint orders on institutional respondents as well as primary suspects.

Strategic Considerations: Managing the STR Process Without Tipping Off or Prejudicing the Business

The tipping-off prohibition and the need to maintain a commercial relationship pending FIU analysis create genuine tension for reporting entities. A bank that files an STR on a significant corporate client cannot alert that client, must continue to process transactions unless and until it receives a law enforcement direction, and must ensure that no employee communication — internal or external — discloses the existence of the report. Practically, this means that STR discussions must be conducted outside normal business communication channels: dedicated compliance email threads marked privileged and confidential, held only among MLRO, legal counsel, and relevant senior management on a strictly need-to-know basis.

Where an institution wishes to exit a relationship following an STR — for example, by de-risking a client — the sequencing matters enormously. Exiting immediately after filing creates an inference of tipping off if the client later learns of the STR and its timing. Conversely, continuing a relationship indefinitely may generate secondary liability. Best practice under the current framework is to seek external legal advice before taking any relationship action post-filing, to document that any de-risking decision was made on independent grounds (e.g., routine periodic review or risk appetite reassessment), and to ensure the sequence is defensible to a regulator.

For virtual asset businesses regulated by VARA under the May 2025 Rulebooks 2.0 and the Issuance Rulebook (June 2025), the Travel Rule under Cabinet Resolution 134/2025 introduces an additional layer: transfers at or above AED 3,500 must carry originator and beneficiary information, and gaps in that information chain — for example, transfers from unhosted wallets — themselves constitute a red flag requiring STR assessment. VARA's approach to STR compliance has been closely aligned with the FATF Virtual Assets guidance, and the 2026 mutual evaluation will specifically assess the quality of VASP STR filings.

Boards should also consider the interaction between STR obligations and corporate tax compliance under Federal Decree-Law 47/2022. Where an internal investigation or external audit reveals transactions that may constitute tax evasion — now a predicate offence under FDL 10/2025 — the board faces a dual obligation: a possible voluntary disclosure to the Federal Tax Authority (carrying penalties of 1–4% under Cabinet Decision 129/2025, versus 15% on audit) and an assessment of whether an STR must be filed in respect of the underlying transactions. These obligations are not mutually exclusive, and legal counsel should be engaged to manage them in parallel from the outset.

Cross-Border Dimensions: MLA, Freezing Orders, and the Post-Grey-List Environment

The UAE's removal from the FATF grey list in February 2024, and the EU's subsequent removal of the UAE from its high-risk third-country list in 2025, have materially changed the international enforcement landscape. Mutual legal assistance requests to and from the UAE are now processed with greater speed and institutional credibility. Under Federal Law No. 39/2006 as amended by Federal Decree-Law No. 38/2023, the UAE can both receive and transmit MLA requests for asset tracing, evidence gathering, and enforcement of foreign judgments in money laundering matters. Reporting entities that receive MLA-linked production orders must comply and must not tip off the subject.

The cross-border freezing order jurisdiction has also expanded significantly. Under DIFC Court Law No. 2/2025, the DIFC Courts can grant worldwide freezing orders in support of foreign proceedings without requiring a local asset nexus — a position confirmed in practice by the ADGM decision in A17 v B17 [2025]. This means that an STR filed in the UAE may trigger an MLA request that results in a worldwide freezing order granted by the DIFC or ADGM courts, capturing assets held in jurisdictions well beyond the UAE. For HNW individuals and corporate groups with international asset bases, this is a material escalation risk that must be factored into any assessment of whether and how to engage with an FIU inquiry.

For reporting entities operating in multiple jurisdictions, the UAE STR obligation does not displace obligations in other jurisdictions. A UAE-registered branch of an international bank that files an STR in the UAE may trigger a parallel obligation in the home jurisdiction. Legal privilege considerations differ across jurisdictions, and internationally mobile clients should be advised that information shared with a UAE reporting entity for KYC purposes may flow — lawfully — to foreign law enforcement through MLA channels. The FATF 2026 mutual evaluation will assess the quality of UAE international cooperation, and domestic supervisors are expected to demonstrate robust STR-to-MLA linkage statistics.

Practical checklist

  • Register all reporting entity MLROs on the goAML portal before conducting any regulated activity.
  • Update all AML policies to reference FDL 10/2025 and Cabinet Resolution 134/2025 — not the repealed FDL 20/2018.
  • Escalate red flags to the MLRO in writing within 24 hours of identification; MLRO must file within two business days.
  • Include tax evasion and proliferation financing as explicit STR trigger categories in your compliance manual.
  • Maintain strict tipping-off controls: restrict STR discussions to a named need-to-know group on a dedicated channel.
  • Preserve all STR-related records — transaction data, KYC documents, MLRO assessments — for a minimum of five years.
  • Obtain external legal advice before de-risking a client relationship following an STR to avoid an inference of tipping off.
  • Verify UBO for all legal persons against the 25% threshold in Cabinet Decision 109/2023 before transaction completion.

What we'd typically advise

Our standard recommendation to boards and compliance committees is to treat STR filing as a legal obligation with zero tolerance for delay, not a reputational risk to be managed by suppression. The personal liability provisions of FDL 10/2025 mean that an MLRO overruled by a business line head, or a board that starves compliance of resources, is directly in the frame. We advise clients to conduct a gap analysis against FDL 10/2025 and Cabinet Resolution 134/2025 immediately — not at the next annual review cycle — and to stress-test their goAML filing capability with a simulated STR exercise. Where a potential historic filing gap is identified, voluntary engagement with the relevant supervisor, managed carefully with legal privilege, is almost always preferable to waiting for an inspection finding.

Frequently asked questions

Does filing an STR mean my institution is accusing the client of a crime?

No. An STR communicates a suspicion to the FIU for intelligence purposes — it is not a criminal accusation and has no direct legal effect on the subject. Article 23 of FDL 10/2025 expressly provides that a reporting entity and its employees incur no civil, criminal, or disciplinary liability for a good-faith filing, even if the suspicion is ultimately unfounded. The FIU analyses the report and decides whether to refer the matter to law enforcement.

Can I tell my client that I have filed — or am about to file — an STR about their account?

No. The tipping-off prohibition in Article 24 of FDL 10/2025 is absolute and applies to disclosure to the subject and to any third party not authorised to receive the information. Disclosure — including indirect disclosure through unexplained account closures, transaction holds, or questions that signal a filing — is a criminal offence. This applies to employees as well as the institution itself.

We are a law firm. Does the lawyer–client privilege protect us from having to file an STR?

Only partially. UAE law does not extend legal professional privilege to transactions where the lawyer is facilitating a financial or commercial transaction — for example, holding funds in a client account, structuring a sale, or forming a company. Privilege applies where the lawyer is providing legal advice or conducting litigation. Firms must have a written protocol distinguishing these roles within each retainer. Where the transactional gateway applies, the MLRO obligation is triggered and filing cannot be withheld on privilege grounds.

What is the deadline for filing an STR on the goAML portal once the MLRO forms a suspicion?

Cabinet Resolution 134/2025 requires filing within two business days of the MLRO forming a suspicion. Where terrorism financing, proliferation financing, or an imminent transaction is involved, filing must be immediate — before any further processing. A preliminary report can be filed and supplemented; there is no basis for delaying beyond two business days to await more information.

Our VASP processes transfers below AED 3,500. Do we still have STR obligations?

Yes. The AED 3,500 Travel Rule threshold in Cabinet Resolution 134/2025 determines when full originator and beneficiary information must accompany a transfer — it is not a floor below which AML obligations disappear. The STR obligation is triggered by suspicion at any transaction size. Below-threshold transfers can still exhibit red flags — for example, structured transfers designed to avoid the threshold — which independently require STR assessment under FDL 10/2025 and VARA Rulebooks 2.0 (May 2025).

Tax evasion is now a predicate offence. Does that mean we must file an STR every time we suspect a client has a tax issue?

Not automatically, but the threshold for STR assessment is low. Under FDL 10/2025, where there are reasonable grounds to suspect that funds are connected to tax evasion — now a predicate offence — the MLRO must conduct a documented assessment and file if suspicion is formed. This does not require proof of evasion; a pattern inconsistent with the client's disclosed corporate tax position under Federal Decree-Law 47/2022 may suffice. The MLRO assessment — and the decision either to file or to close with reasons — must be documented regardless of outcome.

What are the personal consequences for our MLRO if we fail to file a required STR?

Under FDL 10/2025, the MLRO and any senior manager whose negligence or wilful act contributed to the failure face personal criminal liability — not merely institutional liability. This can result in imprisonment, personal fines, and disqualification from holding regulated roles. The corporate veil does not shield individuals from AML enforcement under the current law. MLROs who are overruled by business lines should document their recommendation and, if overruled, consider whether they are personally required to escalate to the board or regulator.

We filed an STR six months ago and have heard nothing. Can we close the file and resume normal business with the client?

Not without documented analysis. The absence of FIU feedback does not close the compliance obligation. The reporting entity must continue to monitor the client's activity, update the STR if material new information emerges, and maintain records for the five-year minimum under Article 18 of FDL 10/2025. Any decision to continue or exit the relationship should be documented on independent grounds and reviewed with legal counsel, given the tipping-off risk associated with relationship changes proximate to an STR filing.

Related guides


Published 15 July 2026. General information only — not legal advice. Contact us for matter-specific advice.

Need this matter handled?

A partner can review the specifics and respond with a scoped engagement note within one working day.

Speak to us →