AML & Financial Crime

MLRO and Manager Personal Liability Under the 2025 UAE AML Law

AML & Financial Crime

What this guide covers

  1. The 2025 Legal Framework: What Changed for MLROs and Managers
  2. The 'Should Have Known' Standard: A Practitioner's Analysis
  3. Tipping-Off: Criminal Exposure for MLROs and Their Advisers
  4. Imprisonment, Fines and Administrative Sanctions: Quantifying the Personal Risk
  5. Defensive Architecture: What MLROs and Managers Must Do Now
  6. Criminal Procedure and Investigation: How UAE Authorities Pursue MLRO Cases
  7. Board and Senior Management Governance: Systemic Risk and Collective Liability
  8. Practical checklist
  9. What we'd typically advise
  10. Frequently asked questions

Federal Decree-Law 10/2025 fundamentally redraws personal liability for MLROs and senior managers in the UAE. Compliance officers now face imprisonment, fines to AED 100 million and unlimited lookback periods if they knew — or should have known — that a transaction was suspicious.

Federal Decree-Law 10/2025 on Anti-Money Laundering, Combating the Financing of Terrorism and Financing of Illegal Organisations entered into force on 14 October 2025, repealing Federal Decree-Law 20/2018 in its entirety. Cabinet Resolution 134/2025 (the Executive Regulations, effective 14 December 2025) operationalises FDL 10/2025 and together these instruments represent the most structurally significant overhaul of UAE AML/CFT law since the 2018 framework. For compliance officers, the critical shift is the explicit codification of personal manager liability — a provision that was implicit and unevenly enforced under FDL 20/2018 but is now unambiguously stated.

Under FDL 10/2025, a 'Responsible Manager' — defined broadly to capture any natural person exercising effective control or oversight of an obliged entity's AML compliance function, including the Money Laundering Reporting Officer (MLRO), the Compliance Officer, the CEO and, in some cases, board members — can be held personally criminally and administratively liable for failures that occur on their watch. This is not vicarious liability: it is direct, first-order liability contingent on what the manager knew or should have known. The predicate offence catalogue has also been expanded: tax evasion and proliferation financing are now express predicates under FDL 10/2025, meaning suspicious activity connected to corporate tax non-compliance under FDL 47/2022 or sanctions-adjacent conduct can generate MLRO exposure in ways the 2018 regime did not contemplate.

Cabinet Resolution 134/2025 further clarifies supervisory expectations around internal reporting channels, escalation timelines and the documentation an MLRO must maintain to demonstrate a defensible decision not to file a Suspicious Transaction Report (STR). The absence of that documentation is itself an aggravating factor when regulators assess whether the 'should have known' threshold was met. Financial institutions — whether licensed by the CBUAE under Law No. 6/2025, regulated by the SCA's successor the CMA under FDL 32/2025, or registered with VARA under its May 2025 Rulebooks 2.0 — are all subject to FDL 10/2025's personal liability architecture.

The 'Should Have Known' Standard: A Practitioner's Analysis

The most consequential doctrinal change in FDL 10/2025 for individual compliance officers is the explicit lowering of the mental-element threshold from actual knowledge to a constructive or objective standard: the MLRO is exposed where they knew or should have known that a transaction or business relationship was connected to criminal proceeds. This mirrors developments in mature FATF-member jurisdictions but represents a departure from the more intent-driven approach that UAE enforcement practice had historically reflected under the 2018 framework. In practical terms, it means that prosecutorial or regulatory authorities no longer need to establish that the MLRO consciously recognised a red flag and deliberately suppressed it — they need only demonstrate that a competent, diligent compliance officer in the same position would have identified the suspicious characteristics.

The objective standard is assessed against a contextual matrix drawn from the MLRO's own institution's documented risk appetite, its customer risk assessments, its transaction monitoring thresholds and the typologies guidance published by the UAE Financial Intelligence Unit (UAE-FIU) and FATF. An MLRO who failed to programme transaction monitoring rules aligned with current FIU guidance, who approved onboarding of a high-risk customer without enhanced due diligence, or who allowed an STR decision to lapse undocumented is objectively more exposed than one whose files evidence a reasoned, contemporaneous analysis. Cabinet Resolution 134/2025 prescribes minimum content for internal investigation records and STR decision memoranda; non-compliance with those prescriptions is probative evidence that the 'should have known' standard is satisfied.

Senior managers and board members who receive escalation reports and take no meaningful action are equally at risk. FDL 10/2025 does not confine liability to the designated MLRO: any person exercising effective oversight of the compliance function — including a CFO who approves a transaction after being alerted to concerns, or a CEO who overrides an MLRO recommendation — falls within the personal liability perimeter. This has significant governance implications: board risk committees that receive sanitised AML updates without engaging substantively with underlying red flags may find, post-incident, that the record supports a finding that they 'should have known.' Boards should therefore demand granular, unredacted AML reporting and ensure minutes evidence genuine scrutiny rather than passive receipt.

Tipping-Off: Criminal Exposure for MLROs and Their Advisers

FDL 10/2025 retains and strengthens the tipping-off prohibition that existed under FDL 20/2018. An MLRO — or any person with knowledge of a pending or filed STR — commits the offence of tipping-off if they disclose, directly or indirectly, to the subject of the report or to a third party that an STR has been filed, that an investigation is underway, or that a suspicious activity analysis is being conducted. The offence is strict in its application to the fact of reporting: even a well-intentioned disclosure to a customer to allow them to 'correct' a transaction, or a communication to a relationship manager who then adjusts their client interaction, can constitute tipping-off.

The practical tension for MLROs is acute. When a customer asks why their account has been frozen or why a transaction is delayed, the MLRO must navigate between the duty of candour owed to the customer under contract and the criminal prohibition on disclosure. FDL 10/2025 and Cabinet Resolution 134/2025 permit an obliged entity to decline to provide reasons for a transaction refusal or account restriction where doing so would amount to tipping-off, and this statutory basis should be invoked expressly and documented. The MLRO should not permit relationship managers or customer-facing staff to communicate with the subject without a pre-approved tipping-off-compliant script, reviewed by legal counsel.

External legal advisers face parallel exposure. A lawyer who receives confidential information from a client and advises in a way that the MLRO — or the lawyer themselves — later discloses to the subject of a pending STR risks personal criminal liability under FDL 10/2025 and potential Penal Code exposure under Federal Decree-Law 31/2021 (as amended by FDL 36/2022). Legal professional privilege provides some protection for genuine legal advice but does not extend to facilitating the disclosure itself. MLROs instructing external counsel on a live STR or post-STR investigation must ensure that all communications are structured to preserve privilege and that no information flows back to the subject through any channel, including through group legal functions where the subject's own legal team may have access.

Where an institution operates across the DIFC or ADGM, parallel tipping-off regimes apply under those jurisdictions' own AML frameworks. The DIFC's AML Law and the ADGM's Financial Services and Markets Regulations each contain tipping-off provisions that are substantially consistent with FDL 10/2025 but enforced by independent regulators. An MLRO operating across onshore and offshore entities must ensure that STR filings and subsequent communications are compartmentalised so that information shared within the group does not inadvertently tip-off a subject monitored in one jurisdiction through a disclosure made in another.

Imprisonment, Fines and Administrative Sanctions: Quantifying the Personal Risk

FDL 10/2025 imposes a tiered criminal penalty structure. At the apex, an MLRO or manager convicted of money laundering — including where liability is established on the 'should have known' standard — faces imprisonment of not less than one year, with the court having discretion to impose substantially longer terms depending on the seriousness, the value of funds involved and whether the conduct was systematic or involved an organised criminal network. These custodial sentences are not suspended automatically for first-time offenders in commercial contexts; UAE courts have imposed immediate custodial sentences in AML cases, and the removal of the UAE from the FATF grey list in February 2024 has coincided with intensified enforcement as authorities demonstrate sustained compliance. The no-statute-of-limitations provision in FDL 10/2025 — applying specifically to money laundering offences — means that conduct from years prior to the 2025 law's commencement can still be prosecuted if it is discovered during an investigation commenced after 14 October 2025, provided the act was an offence under FDL 20/2018 at the time.

Administrative fines against natural persons under FDL 10/2025 reach AED 100 million — a significant escalation from the prior regime. These fines are imposed by the relevant supervisory authority (CBUAE, CMA, VARA or the Ministry of Economy for DNFBPs) and do not require a criminal conviction. The CBUAE's own administrative penalty powers under Law No. 6/2025 are even more expansive, with fines reaching AED 1 billion at the institutional level. For the individual MLRO, the realistic exposure is the AED 100 million ceiling, but any fine above AED 1 million has immediate practical consequences including potential travel bans, asset freezes and reputational consequences that functionally end a compliance career in the UAE market.

Beyond fines and imprisonment, FDL 10/2025 enables regulators to impose disqualification orders preventing a natural person from serving as an MLRO, compliance officer, board member or senior manager in any regulated entity. The Federal Penal Code (FDL 31/2021, Art. 65–68) further provides that a conviction carrying imprisonment may result in automatic suspension of civil rights, including the right to manage companies. For expatriate professionals — the majority of MLROs in UAE financial institutions — a conviction also triggers potential visa cancellation and deportation under UAE immigration law, with consequences for any future UAE residency or work permit applications. The combination of custodial risk, financial penalty, career disqualification and immigration consequences makes personal liability under FDL 10/2025 materially more severe than anything the 2018 regime produced in practice.

Defensive Architecture: What MLROs and Managers Must Do Now

Given the shift to the 'should have known' standard, an MLRO's primary defence is a contemporaneous, auditable record demonstrating that their decisions were consistent with what a competent, diligent professional in their position would have concluded on the information available. This requires a structured internal investigation protocol — prescribed in substance by Cabinet Resolution 134/2025 — for every STR decision, whether the outcome is to file or not to file. Not-to-file decisions are, counterintuitively, the higher-risk category because they represent a judgment that the regulator or prosecutor may later second-guess. Every not-to-file decision should be documented in a formal memorandum setting out the red flags identified, the information gathered, the analysis applied and the conclusion reached, signed by the MLRO and retained indefinitely given the absence of a limitations period for ML offences.

Transaction monitoring systems must be calibrated against current UAE-FIU typologies guidance and Cabinet Resolution 134/2025 requirements. An MLRO who cannot demonstrate that monitoring rules were reviewed and updated following each major FIU typologies publication is exposed to the argument that systemic gaps in monitoring — rather than individual transaction failures — were the mechanism through which suspicious activity went unreported. Internal audit should conduct an annual review of monitoring rule effectiveness, with findings reported to the board risk committee and documented in board minutes.

Customer risk assessments must reflect the expanded predicate offence list under FDL 10/2025. Customers with exposure to tax structures that may engage FDL 47/2022 corporate tax obligations, or to jurisdictions listed as high-risk by the UAE-FIU, or involved in dual-use goods transactions that touch on proliferation financing, all require enhanced due diligence under Cabinet Resolution 134/2025. Beneficial ownership verification must comply with Cabinet Decision 109/2023's 25% threshold, and the MLRO should maintain evidence of direct ownership verification rather than reliance on customer self-certification. For virtual asset obliged entities, VARA Rulebooks 2.0 (May 2025) and the Travel Rule threshold of AED 3,500 under Cabinet Resolution 134/2025 require specific counterparty verification procedures that the MLRO must document separately from general CDD files.

Personal employment protections are a neglected dimension of MLRO risk management. An MLRO who files an STR against the instruction of senior management, or who refuses to approve a transaction that the CEO has directed, requires contractual and, ideally, regulatory protection against dismissal or demotion. Cabinet Resolution 134/2025 includes whistleblower-adjacent provisions protecting those who report in good faith to the UAE-FIU, but these do not comprehensively protect against private employment termination. MLROs should ensure their employment contracts include explicit protections against adverse action for good-faith regulatory compliance decisions, and should document in writing any situation where their professional judgment is overridden by management.

Criminal Procedure and Investigation: How UAE Authorities Pursue MLRO Cases

Criminal investigations against MLROs and compliance managers in the UAE are conducted under Federal Decree-Law 38/2022 (Criminal Procedure Law, in force 1 March 2023, as amended by FDL 45/2023). The UAE-FIU receives STRs and disseminates financial intelligence to the Public Prosecution. The Public Prosecution has broad investigative powers under FDL 38/2022 including the power to order asset freezes, travel bans and the seizure of devices and records without prior judicial authorisation in urgent cases. An MLRO who becomes the subject of an investigation — even at the preliminary inquiry stage — may find that their passport is retained, their accounts are frozen and their employer has received a formal request for records before they are even notified of the investigation.

FDL 38/2022 provides the accused with the right to legal representation from the point of formal charge, and a competent defence requires counsel to be engaged before that point — at the moment an individual becomes aware that they are a person of interest in a regulatory or criminal inquiry. Early engagement with the Public Prosecution through experienced UAE criminal counsel can, in appropriate cases, result in the investigation being contained at the administrative level or resolved through voluntary cooperation and remediation before charges are filed. However, voluntary disclosure of failures to the regulator — while potentially mitigating administrative penalties — does not provide immunity from criminal prosecution, and the decision to self-report should only be taken after careful legal analysis of the specific facts.

Asset freezing in support of UAE AML investigations can now be effected across jurisdictions more efficiently following the extension of the DIFC Court's worldwide freezing jurisdiction under DIFC Court Law 2/2025 and the ADGM's position confirmed in A17 v B17 [2025], where worldwide freezing orders were granted in support of foreign proceedings without requiring a local-asset nexus. An MLRO facing parallel proceedings in the UAE and another jurisdiction should be alert to the risk that assets held offshore are frozen in support of UAE proceedings, or that UAE-held assets are frozen in support of foreign proceedings, through these mechanisms. Mutual legal assistance under Federal Law 39/2006 (as amended by FDL 38/2023) further enables the UAE to request asset restraint, evidence gathering and extradition from treaty partners — and for foreign authorities to make equivalent requests to UAE authorities in respect of UAE-based MLROs.

Board and Senior Management Governance: Systemic Risk and Collective Liability

FDL 10/2025 does not confine personal liability to the designated MLRO. The 'Responsible Manager' definition is functional rather than titular: any natural person who exercises effective decision-making authority over the AML compliance function — including a Group Compliance Director, a Chief Risk Officer, a CEO who routinely reviews and approves high-risk onboarding, or a board audit and risk committee member who receives detailed AML reports — falls within the statutory definition. This creates a governance imperative for boards that is distinct from ordinary fiduciary duty: passive oversight of AML compliance is now a source of personal criminal risk, not merely a reputational or regulatory concern.

Boards and senior management of obliged entities should, as a matter of priority following the commencement of FDL 10/2025, commission an independent gap analysis of their AML/CFT framework against Cabinet Resolution 134/2025's requirements. That analysis should specifically assess: whether the MLRO has adequate authority and resources to discharge their functions independently of commercial pressure; whether escalation paths from the MLRO to the board are documented and followed in practice; whether board minutes evidence substantive engagement with AML risk rather than formulaic approval; and whether individual directors and senior managers have received training sufficient to ground a 'should have known' defence.

For financial institutions regulated by the CBUAE under Law No. 6/2025, the CBUAE's supervisory expectations — including on-site inspections, thematic reviews and targeted individual interviews — have become significantly more intensive following the UAE's FATF grey-listing in 2022 and subsequent removal in February 2024. The 2026 mutual evaluation will test whether institutional improvements have been embedded at the individual level. Regulators have indicated that they will scrutinise the personal conduct of named compliance officers, not merely institutional systems. Directors and senior managers of CMA-regulated entities under FDL 32/2025 face equivalent scrutiny, and the new capital markets framework under FDL 33/2025 — which codifies insider-dealing and manipulation offences with penalties to AED 200 million — intersects with AML obligations where market abuse proceeds are involved, creating compounded personal liability risk for compliance officers at securities firms.

Practical checklist

  • Document every STR decision — including not-to-file decisions — in a signed, dated memorandum retained indefinitely.
  • Calibrate transaction monitoring rules against current UAE-FIU typologies after each guidance update.
  • Verify beneficial ownership to the 25% threshold under Cabinet Decision 109/2023 with primary-source evidence.
  • Apply enhanced due diligence to customers with corporate tax, proliferation financing or sanctions-adjacent exposure.
  • Ensure employment contracts include written protection against adverse action for good-faith compliance decisions.
  • Brief board risk committees with unredacted AML data and ensure minutes evidence substantive engagement.
  • Apply VARA Travel Rule procedures for virtual asset transfers at or above the AED 3,500 threshold.
  • Engage UAE criminal counsel immediately upon learning you are a person of interest — before formal charge.

What we'd typically advise

Our first counsel to any MLRO or senior manager reviewing their position under FDL 10/2025 is this: treat the 'should have known' standard as if it were already being applied to your files today, because in a future investigation it will be. The question an investigator will ask is not what you intended, but what your records show a diligent professional in your position would have done.

We recommend an immediate audit of your STR decision-making records, monitoring rule calibration and EDD documentation against Cabinet Resolution 134/2025's requirements. Where gaps exist, remediate them and document the remediation. Where commercial pressure has historically influenced compliance decisions, that dynamic needs to be restructured now — with board sign-off — before it becomes evidence of systemic failure. Personal indemnity arrangements and contractual protections should be reviewed by employment and criminal counsel together. If an investigation has already commenced, instruct experienced UAE criminal defence counsel before making any voluntary disclosures.

Frequently asked questions

Can I be personally imprisoned as an MLRO even if the bank itself is separately fined?

Yes. FDL 10/2025 imposes concurrent liability on the institution and the individual. An administrative fine against your employer does not discharge your personal criminal exposure. The personal liability provisions of FDL 10/2025 are directed at natural persons exercising compliance functions, and a custodial sentence for the MLRO can coexist with a separate institutional fine reaching AED 100 million or, in the case of CBUAE-regulated entities, up to AED 1 billion under Law No. 6/2025.

Does the 'should have known' standard mean I am liable for every transaction my team missed?

Not automatically. The standard is objective but contextual. You are assessed against what a competent, diligent MLRO with your resources, systems and the information available to you would have done. Systemic failures — poorly calibrated monitoring, inadequate staffing, suppressed escalations — are more likely to satisfy the standard than isolated missed transactions. Thorough contemporaneous documentation of your framework and your decisions is your primary defence under FDL 10/2025 and Cabinet Resolution 134/2025.

What can I say to a customer whose transaction has been delayed because of an STR?

Very little, and carefully. FDL 10/2025 prohibits disclosing that an STR has been filed or that a suspicious activity inquiry is underway. You may tell the customer that the transaction is subject to standard regulatory review and that you are unable to provide further detail. That response should be pre-approved by legal counsel and delivered through a scripted channel — not by the relationship manager independently. Any deviation from this approach risks a tipping-off charge carrying criminal penalties.

I am a non-executive director. Can I be personally liable under FDL 10/2025?

Potentially, yes, if you exercise effective oversight of the compliance function. The 'Responsible Manager' definition in FDL 10/2025 is functional. A non-executive director who chairs a board risk committee receiving detailed AML reports and who approves high-risk business relationships may be found to have exercised sufficient oversight to fall within the definition. The risk is proportionate to the depth of your documented involvement in AML decision-making.

Does FDL 10/2025 apply to DIFC and ADGM entities?

FDL 10/2025 applies onshore UAE. DIFC and ADGM have their own AML frameworks enforced by DFSA and FSRA respectively. However, an MLRO at a group with both onshore and offshore entities has obligations under all applicable regimes simultaneously. FDL 10/2025's expanded predicate list — including tax evasion and proliferation financing — affects risk assessments across the group even where the primary regulated entity sits within a financial free zone.

Is there a limitation period for prosecuting me for historic AML failures?

No. FDL 10/2025 expressly removes any statute of limitations for money laundering offences. Conduct that occurred under the prior FDL 20/2018 regime can be prosecuted after 14 October 2025 if it amounted to an offence at the time and is discovered in a new investigation. This unlimited lookback period makes historical compliance file quality as important as current practice.

What protection do I have if management overrides my decision not to approve a transaction?

Cabinet Resolution 134/2025 includes protections for individuals who report in good faith to the UAE-FIU. Beyond that, your protection is primarily contractual and documentary. You should record the override in writing, preserve your own written objection, and ensure your employment contract protects you from adverse action for good-faith compliance decisions. If the transaction later generates an STR or investigation, your documented objection is critical evidence distinguishing your conduct from that of the managers who overrode you. Seek independent legal advice before complying with an instruction you believe breaches FDL 10/2025.

We are a virtual asset service provider under VARA. Does FDL 10/2025 apply to us in addition to VARA rules?

Yes. VARA Rulebooks 2.0 (May 2025) and FDL 10/2025 apply concurrently to VARA-licensed entities. Cabinet Resolution 134/2025 establishes the Travel Rule threshold at AED 3,500 for virtual asset transfers, and your MLRO must ensure counterparty verification procedures meet this requirement. Personal MLRO liability under FDL 10/2025 applies to virtual asset obliged entities in the same way as to traditional financial institutions, and VARA has its own administrative enforcement powers that layer on top of the FDL 10/2025 regime.

Related guides


Published 15 July 2026. General information only — not legal advice. Contact us for matter-specific advice.

Need this matter handled?

A partner can review the specifics and respond with a scoped engagement note within one working day.

Speak to us →