What this guide covers
- The UAE Legal Framework: Bribery, Fraud and Kickbacks
- Anatomy of Procurement Kickback Schemes in the UAE
- Corporate Criminal Liability and Director Exposure
- AML and Asset Freezing Exposure Under FDL 10/2025
- Conducting a Procurement Fraud Internal Investigation in the UAE
- Self-Reporting Strategy and Mitigation in UAE Enforcement
- Consequences, Debarment and Compliance Programme Implications
- Practical checklist
- What we'd typically advise
- Frequently asked questions
Procurement fraud and kickback schemes expose UAE companies, executives and board members to criminal prosecution, asset freezing and AML liability under a rapidly modernised legal framework. Understanding that framework — and acting before investigators do — is the decisive advantage.
The UAE Legal Framework: Bribery, Fraud and Kickbacks
The primary criminal statute governing procurement fraud in the UAE is Federal Decree-Law 31/2021 (the Penal Code), which entered into force on 2 January 2022 and was amended by Federal Decree-Law 36/2022. The Penal Code criminalises a wide spectrum of conduct relevant to procurement misconduct. Article 234 addresses bribery of public officials, imposing imprisonment of not less than five years on any person who offers, promises or gives a public servant a gift or benefit — whether directly or through an intermediary — to perform or abstain from an act of their function. Article 236 extends liability to those who mediate or facilitate a bribe. Critically, Article 237 captures the private-sector dimension: bribery between private parties in connection with commercial activities attracts the same sentencing range, meaning kickback arrangements between two private companies in a procurement chain are fully within scope.
Fraud in the procurement context is primarily addressed under Articles 399–402 of FDL 31/2021, covering deception-based offences including misrepresentation in tenders, false invoicing, and collusive bid manipulation. The penalty for base fraud is imprisonment of up to three years; aggravated circumstances — such as the involvement of a public body, use of forged documents, or organised group participation — escalate penalties materially. Forgery of tender documents, qualification certificates or price schedules falls under Articles 251–260, with penalties reaching ten years' imprisonment where the forgery affects a public instrument. Price-fixing arrangements between ostensibly competing bidders also engage Articles 421–425 on criminal conspiracy.
The UAE has no standalone anti-bribery statute equivalent to the UK Bribery Act 2010, but the cumulative effect of FDL 31/2021 read alongside the AML framework under Federal Decree-Law 10/2025 creates a regime of comparable severity. Notably, FDL 10/2025 — which entered into force on 14 October 2025 and repealed FDL 20/2018 — designates bribery and fraud as predicate offences for money laundering, meaning that procurement of funds through kickbacks triggers a separate and parallel criminal exposure under the AML statute with no statute of limitations. The Cabinet Resolution 134/2025 (Executive Regulations, operative 14 December 2025) provides granular compliance obligations for designated non-financial businesses and professions that regularly participate in or service procurement processes.
For entities operating in or supplying to the public sector, Federal Law No. 6 of 2018 on Procurement in the Federal Government (and its emirate-level equivalents, such as Dubai Executive Council Resolution 1/2022 on government procurement) impose administrative debarment as an additional consequence. Debarment — exclusion from future public tenders — operates independently of criminal proceedings and can be imposed on administrative determination alone, representing a significant commercial risk that often eclipses the reputational damage of a criminal investigation in the short term.
Anatomy of Procurement Kickback Schemes in the UAE
Procurement fraud investigation UAE authorities encounter most commonly involves one of four structural patterns: (i) kickback arrangements between a supplier and a procurement officer, where the officer steers contracts in exchange for cash payments, equity stakes or benefits in kind; (ii) bid-rigging cartels among ostensibly competing vendors who rotate winning bids while sharing inflated margins; (iii) ghost vendor schemes involving fictitious suppliers controlled by insiders who invoice for services never rendered; and (iv) specification manipulation, where tender requirements are drafted so narrowly that only a pre-selected vendor can qualify. In practice, these patterns are frequently combined — a procurement officer may simultaneously own an interest in a shell company acting as a ghost vendor while also accepting personal payments from a favoured real supplier.
The financial flows in kickback schemes typically travel through layers designed to obscure beneficial ownership. Common structures in the UAE context include: payments routed through free-zone entities in JAFZA, DMCC or RAKEZ; transfers to accounts held by a spouse or close relative of the procurement officer; consultancy agreements with offshore entities as a fee-laundering mechanism; and — increasingly — settlement in cryptocurrency through platforms accessible in the UAE. The VARA Rulebook 2.0 (May 2025) and the Travel Rule threshold under Cabinet Resolution 134/2025 (AED 3,500 for virtual asset transfers) mean that crypto-denominated kickbacks now generate mandatory reporting obligations on licensed virtual asset service providers, closing a gap that was historically exploited.
The beneficial ownership register obligations under Cabinet Decision 109/2023 — which applies the 25% direct or indirect ownership threshold — are directly relevant to ghost vendor detection. A forensic review of a counterparty's ultimate beneficial ownership against the register, cross-referenced with the HR records of the relevant procurement team, is a standard early step in any internal investigation. Where the register has not been maintained accurately, the registering entity itself faces separate administrative liability, which may be relevant to cooperation discussions with regulators.
Corporate Criminal Liability and Director Exposure
A persistent misconception among UAE-based executives is that criminal liability in this jurisdiction attaches only to natural persons. FDL 31/2021 expressly provides for corporate criminal liability: under Article 65, a legal person is criminally responsible for offences committed by its representatives, directors or agents acting in its name or on its behalf, and the court may impose fines, order dissolution, or prohibit the entity from conducting certain activities. The fine imposed on a legal person is not less than double the minimum prescribed for the natural person, and there is no statutory cap that would make prosecution of the corporate entity commercially preferable to prosecuting individuals alone.
Director and officer exposure operates on two tracks under UAE law. First, under FDL 31/2021, a manager or director who directly participates in, orders, or deliberately facilitates a bribery or fraud offence is liable as a principal. Second — and this is where FDL 10/2025 represents a material escalation — Article 14 of the new AML law introduces explicit personal liability for senior managers where an AML offence occurs and the manager knew or ought to have known of the conduct and failed to take reasonable preventive measures. This is a negligence-based standard, not an intent standard, meaning that a CFO or compliance officer who received red-flag reports and failed to escalate can face personal criminal exposure even absent direct involvement in the underlying scheme.
Board members who are not executive directors are not automatically insulated. Where a board has approved a procurement policy or delegated authority that was foreseeably inadequate — for instance, allowing single-tender awards above a material threshold without independent review — and fraud subsequently occurs within that gap, prosecutors and civil claimants have both the legal theory and the documentary record to pursue board-level liability. This risk is heightened where the entity is subject to the Securities and Commodities Authority's (now the Capital Markets Authority's under Federal Decree-Law 32/2025, effective 1 January 2026) corporate governance standards, which impose affirmative board oversight obligations on listed companies with respect to internal controls and risk management.
AML and Asset Freezing Exposure Under FDL 10/2025
Federal Decree-Law 10/2025 fundamentally reshapes the AML landscape for entities implicated in procurement fraud in the UAE. The law's most significant innovations relevant to this sector are: (i) the explicit designation of tax evasion as a predicate offence for money laundering — relevant where inflated invoicing is used both to extract kickbacks and to reduce taxable profits under Federal Decree-Law 47/2022; (ii) the removal of any statute of limitations for money laundering offences, meaning conduct that might otherwise fall outside the general criminal limitation period remains perpetually prosecutable if the proceeds were commingled with funds still traceable in the UAE; (iii) fines of up to AED 100 million for legal persons; and (iv) personal liability for senior managers on a negligence standard as described above.
The procedural consequences of an AML designation are immediate and severe. Upon referral to the Public Prosecution under Federal Decree-Law 38/2022 (the Criminal Procedure Law, in force 1 March 2023, as amended by FDL 45/2023), prosecutors have broad powers under Articles 92–97 to request precautionary seizure of assets pending investigation, without prior notice to the subject. Bank accounts, real property, shares and — under the expanded FDL 10/2025 regime — virtual assets held through UAE-licensed platforms can all be frozen. The Financial Intelligence Unit (goAML platform) coordinates with the CBUAE, whose supervisory powers under CBUAE Law No. 6/2025 include administrative fines of up to AED 1 billion against financial institutions that processed tainted procurement payments without adequate due diligence.
For entities and individuals with cross-border asset exposure, the DIFC Court Law 2/2025 and the ADGM precedent in A17 v B17 [2025] are of acute importance. Both demonstrate that UAE courts and common-law financial centre courts are now willing to grant worldwide freezing orders in support of foreign and domestic proceedings without requiring a nexus to locally-situated assets. A company under investigation in Abu Dhabi for procurement fraud cannot assume that assets held through a BVI holding structure or a London account are beyond reach: a parallel ADGM or DIFC application by a government counterparty or a foreign enforcement authority can freeze those assets within days, coordinated with mutual legal assistance under Federal Law 39/2006 as amended by FDL 38/2023.
Conducting a Procurement Fraud Internal Investigation in the UAE
When a board or GC receives credible allegations of procurement misconduct — whether from a whistleblower, an external audit finding, a regulatory enquiry or a counterparty complaint — the immediate imperative is to preserve privilege and establish a defensible investigation structure. Under UAE law, legal professional privilege attaches to confidential communications between a licensed legal practitioner and their client for the purpose of obtaining legal advice. External counsel should be engaged to lead the investigation from day one; forensic accountants and digital forensics specialists should be instructed by and through counsel so that their work product falls within the privilege umbrella. Documents generated internally by compliance personnel without external counsel instruction are generally not privileged and are vulnerable to production on a search warrant executed under Articles 53–58 of FDL 38/2022.
The investigation itself should proceed in three structured phases. The first is preservation and collection: a litigation hold must be issued immediately to prevent routine document destruction, email purging or ERP data archiving. In the UAE context, particular attention must be paid to mobile communication platforms — WhatsApp, Telegram and Signal are routinely used for procurement approvals outside the formal system, and custodians should be reminded in writing of their preservation obligations. The second phase is forensic review: transaction data should be analysed against the vendor master file for red flags including single-source awards above policy thresholds, split invoicing designed to stay below approval limits, round-number payments, vendors with PO Box addresses or addresses matching employee residences, and payments to vendors registered shortly before contract award. The beneficial ownership register under Cabinet Decision 109/2023 should be checked for each vendor of interest. The third phase is witness interviews: these must be carefully sequenced — typically starting with peripheral witnesses and working inward — and interviewees must be given Upjohn-style warnings appropriate to the UAE legal context, making clear that counsel represents the company and not the individual.
A critical tactical decision during the investigation is how to manage communications with the relevant regulatory authority or prosecutorial body. The UAE Public Prosecution operates under FDL 38/2022, and prosecutors have wide investigative powers including the ability to compel testimony and production. If the investigation reveals that a crime has been committed, the company faces a strategic choice: continue confidentially and risk the matter becoming public through a third-party complaint; or self-report and seek to control the narrative and potentially obtain mitigation credit. This decision should be made on the basis of the specific facts, the identity of the individuals implicated, whether government entities are involved, and the degree of regulatory scrutiny already in train — not on a generic rule of thumb.
Self-Reporting Strategy and Mitigation in UAE Enforcement
The UAE does not have a codified deferred prosecution agreement (DPA) regime equivalent to the UK's Crime and Courts Act 2013, and there is no statutory self-reporting discount in the Penal Code equivalent to the US Federal Sentencing Guidelines' reduction for acceptance of responsibility. However, voluntary cooperation with the Public Prosecution is consistently taken into account in sentencing, and the practical benefit of self-reporting in a procurement fraud context — particularly where a government entity is the victim — extends well beyond the formal criminal process. Early engagement with the relevant government body (a ministry, authority or state-owned enterprise) before prosecutors are involved can lead to a civil settlement that resolves the matter administratively, avoids debarment from future tenders, and preserves the commercial relationship, outcomes that no criminal process can deliver.
Under FDL 10/2025, there is an explicit acknowledgment that cooperation and voluntary disclosure are relevant factors in AML enforcement, consistent with the FATF standards to which the UAE committed in the context of its successful grey-listing exit in February 2024. The UAE's next FATF mutual evaluation is anticipated in 2026, meaning that enforcement authorities are institutionally incentivised to demonstrate robust but fair AML enforcement, including credible recognition of cooperative conduct. This creates a narrow but real window for entities that discover procurement fraud, conduct a thorough internal investigation, remediate their controls, and approach authorities proactively to achieve a more calibrated outcome than entities that are the subject of a complaint-driven investigation.
Self-reporting is most effective where it is accompanied by a comprehensive remediation package: a written investigation report (appropriately structured for privilege), a root-cause analysis, evidence of disciplinary action against implicated employees, an enhanced procurement controls framework, and a compliance monitor if the regulator requests one. Where the matter touches on AML predicate offences, a voluntary STR (Suspicious Transaction Report) filed through the goAML system prior to any regulatory contact is a tangible indicator of good faith that prosecutors and the FIU will note. Companies that self-report after an STR has already been filed by their bank are in a materially weaker position and should take immediate advice.
Consequences, Debarment and Compliance Programme Implications
The consequences of a successful prosecution for procurement fraud in the UAE are multi-layered and long-lasting. At the criminal level, individuals convicted of bribery under Article 234 of FDL 31/2021 face a minimum of five years' imprisonment, ineligibility for public office, and deportation in the case of non-citizens — a consequence that is automatic and not subject to judicial discretion in respect of the deportation element for certain categories of offence. At the corporate level, fines, dissolution, and prohibition from operating in specified sectors are all available under Article 65. Asset confiscation — including the confiscation of proceeds, instrumentalities and commingled funds — is ordered as a matter of course under Article 68 of FDL 31/2021 and reinforced by FDL 10/2025 for AML-designated matters, where no limitation period applies.
Administrative debarment from government procurement operates on a separate track. The Federal Government Procurement Law (Federal Law 6/2018) and its implementing regulations allow the procuring entity to refer a vendor to the Ministry of Finance for inclusion on the Unified Debarment Register, which restricts participation in federal tenders. Emirate-level debarment registers operate independently — a company debarred at the federal level is not automatically debarred in Dubai or Abu Dhabi, but a conviction or a civil settlement involving fraud or bribery typically triggers review under all registers. Debarment is a severe commercial sanction for companies whose business is predominantly or materially government-facing, and its potential duration — which may extend to permanent exclusion for the most serious cases — requires it to be treated as a primary risk in any case strategy.
From a compliance programme perspective, a procurement fraud investigation — even one resolved without prosecution — should be the trigger for a comprehensive overhaul of the entity's procurement controls. The minimum components of a defensible UAE-compliant procurement compliance programme include: a documented conflicts-of-interest policy with mandatory disclosure and recusal procedures; a vendor due diligence framework aligned to Cabinet Decision 109/2023 beneficial ownership standards; segregation of duties between requisitioning, approval and payment functions; a threshold-triggered competitive tendering requirement with written justification for exceptions; an anonymous reporting channel (whistleblower hotline) with board-level oversight; and annual training for procurement and finance staff. Where the entity is a financial institution, the CBUAE's supervisory expectations under Law No. 6/2025 impose additional requirements, and the potential administrative fine of up to AED 1 billion for institutional failures provides a powerful board-level incentive for genuine, not cosmetic, compliance.
Practical checklist
- Instruct external criminal counsel immediately upon receipt of any procurement fraud allegation.
- Issue a litigation hold to all relevant custodians, including mobile device and messaging app data.
- Commission beneficial ownership checks on all vendors of interest against Cabinet Decision 109/2023 registers.
- Sequence internal witness interviews from peripheral to central witnesses, with Upjohn warnings throughout.
- Assess whether a voluntary STR via goAML is required before any regulatory engagement under FDL 10/2025.
- Evaluate self-reporting and civil settlement options before prosecutors receive a third-party complaint.
- Prepare a remediation package — root cause analysis, enhanced controls, disciplinary actions — for regulatory presentation.
- Review board-level delegation of authority thresholds and procurement policies for AML personal liability gaps under FDL 10/2025 Article 14.
What we'd typically advise
When we are instructed at the outset of a procurement fraud matter, our first priority is to establish a legally privileged investigation structure that insulates the company's findings from compelled production. The second is to move faster than any potential complainant or regulator. In our experience, the difference between a matter resolved through a negotiated civil settlement and one that becomes a criminal prosecution often comes down to the first two weeks after discovery of the issue.
We would typically advise the board to commission an independent investigation scoped by external counsel, present preliminary findings to the audit committee under privilege, and engage proactively — but strategically — with the relevant authority. This is not a process that benefits from delay, internal management, or the hope that the issue will not surface. Under FDL 10/2025, the personal exposure of senior managers who receive red-flag information and fail to act is real and immediate.
Frequently asked questions
Can our company face criminal prosecution in the UAE even if the procurement fraud was carried out by a single rogue employee?
Yes. Under Article 65 of Federal Decree-Law 31/2021, a legal person is criminally responsible for offences committed by its representatives or agents acting in its name or on its behalf. The company can be prosecuted alongside the individual. Whether prosecutors pursue corporate liability in practice depends on the seniority of the implicated employee, the adequacy of pre-existing controls, and whether the company cooperated. A demonstrably robust compliance programme that the employee circumvented is the strongest mitigating factor available to the entity.
Is a kickback arrangement between two private companies — with no government party involved — a criminal offence under UAE law?
Yes. Article 237 of Federal Decree-Law 31/2021 extends private-sector bribery to commercial dealings between private parties. A supplier paying a procurement manager of a private company a commission to favour its bids constitutes a criminal offence regardless of whether any government entity is involved. Both the payer and the recipient face prosecution, as does any intermediary under Article 236.
Our bank has just frozen our accounts following a suspicious transaction report. What are our immediate rights?
A freeze following an STR is typically imposed under the AML framework — now Federal Decree-Law 10/2025 — and coordinated with the Public Prosecution under Federal Decree-Law 38/2022. You are entitled to legal representation immediately. External counsel can engage the Public Prosecution to understand the basis of the freeze, seek proportionate relief for operating expenses, and challenge the freeze before the competent court if it lacks a proper legal basis. Acting quickly matters: un-challenged freezes can be extended repeatedly during an investigation that has no statutory time limit under FDL 10/2025 for AML matters.
If we self-report procurement fraud to the authorities, is there a guaranteed reduction in any fine or sentence?
There is no codified DPA regime or statutory discount in the UAE equivalent to those in UK or US law. However, voluntary cooperation and self-reporting are consistently treated as mitigating factors in sentencing under UAE criminal practice, and early engagement with a government victim-entity can produce a civil settlement that avoids criminal proceedings entirely. The Federal Decree-Law 10/2025 AML framework explicitly recognises cooperative conduct as relevant to enforcement outcomes, consistent with FATF standards. The benefit is real but not guaranteed, and the decision to self-report must be taken on the specific facts with experienced criminal counsel.
Can a procurement fraud investigation in the UAE lead to freezing of our overseas assets?
Yes. The DIFC Court Law 2/2025 and the ADGM decision in A17 v B17 [2025] confirm that UAE common-law financial centre courts will grant worldwide freezing orders in support of domestic and foreign proceedings without requiring that the relevant assets be situated in the UAE. Separately, the UAE has extradition and mutual legal assistance arrangements under Federal Law 39/2006 as amended by Federal Decree-Law 38/2023, enabling coordinated freezing requests to foreign jurisdictions. Overseas assets held through offshore holding structures are not insulated from these mechanisms.
What is the risk for a CFO or compliance officer who received internal reports flagging procurement irregularities but did not escalate them?
The risk is significant. Article 14 of Federal Decree-Law 10/2025 imposes personal criminal liability on senior managers where an AML offence occurs and the manager knew or ought to have known of the conduct but failed to take reasonable preventive action. This is a negligence standard: intent to participate in the fraud is not required. A CFO who received audit committee reports, compliance memos or internal audit flags identifying procurement anomalies and failed to cause meaningful action faces personal prosecution exposure under both the AML statute and, potentially, as a secondary party under Articles 45–47 of Federal Decree-Law 31/2021.
Our company has been debarred from a government tender on the basis of fraud allegations that have not yet been proven in court. Is this lawful and can it be challenged?
Administrative debarment under the Federal Government Procurement Law (Federal Law 6/2018) and its implementing regulations can be imposed on the basis of an administrative determination by the procuring entity or the Ministry of Finance, prior to and independently of any criminal conviction. It is lawful under UAE administrative law. However, it is challengeable before the Federal Administrative Court if the entity can demonstrate procedural unfairness, absence of evidence, or disproportionality. Legal challenge should be pursued promptly — delay weakens the position and allows the commercial damage to compound.
How does the new AML law FDL 10/2025 change our exposure compared with the previous FDL 20/2018?
Federal Decree-Law 10/2025 makes three changes of direct relevance to procurement fraud. First, tax evasion is now an explicit AML predicate, meaning that if inflated procurement invoicing was used to reduce taxable income under Federal Decree-Law 47/2022, the tax offence itself generates AML exposure. Second, there is no statute of limitations for money laundering — historical transactions remain prosecutable indefinitely if traceable proceeds remain in scope. Third, personal manager liability under Article 14 on a negligence standard is new; FDL 20/2018 had no equivalent provision. Fines for legal persons also increase to AED 100 million under FDL 10/2025.
Related guides
Published 15 July 2026. General information only — not legal advice. Contact us for matter-specific advice.