What this guide covers
- The Legal Framework: FDL 10/2025 and the CPF Mandate
- Standalone CPF Risk Assessments: What the Law Actually Requires
- Dual-Use Goods, Export Controls, and the CPF Nexus
- Targeted Financial Sanctions Screening: The CPF-Specific Obligation
- Personal Manager Liability and Penalty Exposure Under FDL 10/2025
- Sector-Specific Application: VASPs, DNFBPs, Trade Finance, and Free Zones
- Strategic Remediation: Building a Defensible CPF Compliance Programme
- Practical checklist
- What we'd typically advise
- Frequently asked questions
Federal Decree-Law 10/2025, in force 14 October 2025, elevates counter-proliferation financing from a footnote to a standalone compliance pillar — with fines reaching AED 100 million and personal manager liability. Most UAE firms have not yet adapted.
The Legal Framework: FDL 10/2025 and the CPF Mandate
Federal Decree-Law 10/2025 on Anti-Money Laundering, Combating the Financing of Terrorism and Illegal Organisations, and Countering Proliferation Financing (in force 14 October 2025) repeals Federal Decree-Law 20/2018 in its entirety. The decisive structural change is the elevation of proliferation financing (PF) to a fully independent obligation, not merely an annex to CFT requirements. Cabinet Resolution 134/2025, which sets out the Executive Regulations (in force 14 December 2025), operationalises this through dedicated CPF chapters covering risk assessment methodology, customer due diligence calibration, and targeted financial sanctions (TFS) screening obligations linked specifically to UN Security Council resolutions on weapons of mass destruction proliferation.
Under FDL 10/2025, proliferation financing is defined as the provision or collection of funds or financial services, directly or indirectly, with the knowledge that they are to be used, in whole or in part, to finance the development, manufacture, acquisition, possession, transportation, transfer, or deployment of biological, chemical, nuclear, or radiological weapons capable of mass destruction, or their delivery systems. This definition mirrors the FATF standard adopted in 2019 when FATF Recommendation 1 was amended to require standalone CPF risk assessments — a requirement the UAE formally incorporated only with FDL 10/2025. Firms and individuals relying on their 2018-era AML frameworks are, as of 14 October 2025, operating in breach of current law.
The predicate offence architecture under FDL 10/2025 also expressly adds tax evasion as a money-laundering predicate alongside proliferation financing — a point relevant to dual-use goods traders whose structuring of payments may simultaneously attract ML exposure. Practitioners should note that the Criminal Procedure framework governing investigation and prosecution of these offences is Federal Decree-Law 38/2022 (in force 1 March 2023, as amended by FDL 45/2023), not the repealed 1992 procedural code often cited in outdated compliance manuals.
The regulatory perimeter is deliberately broad. FDL 10/2025 and Cabinet Resolution 134/2025 apply to all Designated Non-Financial Businesses and Professions (DNFBPs) — including real estate brokers, dealers in precious metals and stones, corporate service providers, lawyers when conducting certain transactions, and auditors — as well as to all licensed financial institutions, Virtual Asset Service Providers (VASPs) regulated under VARA Rulebooks 2.0 (May 2025), and free zone entities operating financial or trading activities. The geographic reach is not limited to onshore UAE; DIFC and ADGM firms are subject to parallel CPF obligations under their respective regulator frameworks, which are required to be consistent with FDL 10/2025 by virtue of its federal supremacy provisions.
Standalone CPF Risk Assessments: What the Law Actually Requires
The most consequential new operational requirement under FDL 10/2025 read with Cabinet Resolution 134/2025 is the standalone CPF risk assessment. This is distinct from the business-wide ML/TF risk assessment that firms were already required to conduct under the 2018 regime. A CPF risk assessment must specifically evaluate: (i) the firm's exposure to customers, products, delivery channels, or geographic markets that present proliferation financing risk; (ii) the adequacy of existing controls against that specific risk typology; and (iii) the firm's exposure to circumvention of targeted financial sanctions linked to UNSC proliferation resolutions — in particular, those designating entities and individuals connected to DPRK, Iran, and other sanctioned weapons programmes.
Cabinet Resolution 134/2025 requires the CPF risk assessment to be documented, periodically reviewed (at minimum annually or upon any material change in business model or customer profile), and made available to supervisory authorities on request. The assessment must be risk-based and proportionate, but proportionality does not mean cursory. For a trading company, logistics operator, or financial institution with any exposure to dual-use goods, the assessment will be expected to map specific product categories against the EU Dual-Use Regulation lists and the relevant UNSC annexes, identify high-risk jurisdictions, and evaluate the sufficiency of end-user certification and transaction monitoring controls.
A critical practical point: the UAE's National Risk Assessment, as updated following FATF's removal of the UAE from the grey list in February 2024, identifies the trade finance sector, free zone traders, and DPMS (dealers in precious metals and stones) as carrying elevated CPF risk. Firms in these sectors should treat the CPF risk assessment as a high-stakes regulatory deliverable, not a compliance checkbox. Supervisors — including the Central Bank of UAE, the Securities and Commodities Authority (transitioning to the Capital Markets Authority under Federal Decree-Law 32/2025 from 1 January 2026), and the Ministry of Economy for DNFBPs — are actively requesting CPF risk assessment documentation in examination cycles that commenced in Q4 2025.
For financial institutions, Cabinet Resolution 134/2025 also requires that the CPF risk assessment feed directly into the customer risk rating methodology. Customers engaged in manufacturing, trading, brokering, or financing of goods appearing on dual-use control lists — even where the transaction itself appears commercially routine — must be assigned an elevated CPF risk score, triggering enhanced due diligence obligations under the same framework applied to high-risk ML/TF customers. This integration is not optional; it is a structural requirement of the Executive Regulations.
Dual-Use Goods, Export Controls, and the CPF Nexus
Proliferation financing in the UAE context is inextricably linked to the trade in dual-use goods — items with legitimate civilian applications that can also contribute to WMD programmes. The UAE is a major re-export hub, and the intersection of free zone trading structures, correspondent banking, and opaque corporate ownership creates a materially elevated CPF risk environment that the FATF mutual evaluation process (next scheduled for 2026) will scrutinise intensively. FDL 10/2025 does not itself codify a list of controlled goods; instead, Cabinet Resolution 134/2025 requires regulated entities to apply controls consistent with UAE federal export control legislation and the applicable UNSC resolutions, which together effectively incorporate dual-use goods lists by reference.
The UAE's primary export control framework is Federal Law 13/2007 on Commodities Subject to Import and Export Control, as supplemented by ministerial resolutions and the UAE Strategic Goods List maintained by the Ministry of Economy. Critically, from a CPF compliance standpoint, FDL 10/2025 imposes an obligation on financial institutions and DNFBPs to conduct due diligence on the nature of goods being financed or traded — not merely on the identity of the counterparties. A trade finance bank processing a letter of credit for machine tools, electronic components, or certain chemicals must assess whether the goods appear on applicable control lists, whether the stated end-user and end-use are plausible, and whether the transaction route raises red flags consistent with proliferation procurement typologies published by the Financial Intelligence Unit (FIU).
Red flags codified in Cabinet Resolution 134/2025 and FIU guidance include: orders for controlled goods inconsistent with the buyer's stated business; requests for unusual payment terms or routing through multiple jurisdictions; end-users located in or near sanctioned states; inquiries about export licence requirements followed by withdrawal when controls are mentioned; and payment by cash or crypto for high-value goods with dual-use applications. The obligation to file a Suspicious Transaction Report (STR) with the UAE Financial Intelligence Unit arises under FDL 10/2025 where a regulated entity suspects, or has reasonable grounds to suspect, that a transaction involves proliferation financing — including where the suspicion relates to evasion of proliferation-related TFS.
For GCs and compliance officers at trading companies and logistics firms, the practical implication is clear: know-your-cargo due diligence is now part of the AML/CPF compliance framework, not merely a matter of customs or trade law. Firms should implement commodity screening against control lists as a standard step in transaction acceptance, and escalation protocols must be calibrated to capture CPF red flags alongside the more familiar ML/TF indicators. Failure to do so exposes the firm — and its managers personally — to the penalty regime described below.
Targeted Financial Sanctions Screening: The CPF-Specific Obligation
A legally distinct but practically integrated component of CPF compliance under FDL 10/2025 is the obligation to implement and maintain targeted financial sanctions (TFS) screening specifically against proliferation-related designation lists. This is separate from the general TFS obligation applicable to terrorism financing. The relevant designation lists are maintained pursuant to UNSC resolutions — principally Resolution 1718 (2006) and its successor resolutions concerning the DPRK, and Resolution 2231 (2015) concerning Iran — and are incorporated into UAE law through the UAE Local Terrorist List and Sanctions List regime administered by the Executive Office for Control and Non-Proliferation.
Cabinet Resolution 134/2025 requires regulated entities to screen all customers, beneficial owners, directors, and transaction counterparties against proliferation-specific TFS lists in real time or as close to real time as feasible, with immediate freezing of assets and filing of a report to the FIU upon a match. Importantly, the obligation to freeze extends to assets held for or on behalf of designated persons, not merely direct counterparty relationships. A correspondent bank, custodian, or payment service provider that processes a transaction benefiting a listed entity — even without direct knowledge — may face regulatory action if adequate screening systems were not in place.
The standard of care required by Cabinet Resolution 134/2025 for TFS screening is a risk-based approach calibrated to the firm's CPF risk assessment. For high-risk sectors — trade finance, precious metals, crypto, real estate — this will typically require automated screening against multiple consolidated lists with human review of all potential matches, documented escalation procedures, and regular testing of screening system effectiveness. For lower-risk DNFBPs, periodic batch screening may be acceptable, but the CPF risk assessment must affirmatively justify the reduced frequency. Regulators have made clear in supervisory guidance that manual or infrequent screening for firms with material trade or financial exposure will not satisfy the standard.
One significant development under FDL 10/2025 is the no-tipping-off obligation in the CPF context: once a firm identifies a potential TFS match or files an STR related to proliferation financing, it is prohibited from disclosing that fact to the customer or any third party. This creates operational tension for trade finance teams and correspondent banks that routinely communicate with customers about payment processing delays. Legal advice should be sought before any communication is made where a CPF-related hold is in place, as premature disclosure can itself constitute an offence under FDL 10/2025.
Personal Manager Liability and Penalty Exposure Under FDL 10/2025
FDL 10/2025 introduces — for the first time in UAE AML/CFT/CPF legislation — an explicit personal liability regime for senior managers and compliance officers. Where a legal person commits a CPF violation, individuals who are proven to have been responsible for the management of the entity at the time of the violation, or who directed, approved, or facilitated the conduct giving rise to the violation, are jointly and personally exposed to the penalties prescribed by the law. This piercing of corporate protection is not contingent on establishing that the individual acted dishonestly; negligent oversight or failure to implement required controls is sufficient.
The penalty structure under FDL 10/2025 is the most severe in UAE AML legislative history. Administrative fines for CPF violations range up to AED 100 million for legal persons, with personal fines for responsible managers reaching AED 5 million. Criminal sanctions for deliberate proliferation financing include imprisonment and, pursuant to Federal Decree-Law 31/2021 (UAE Penal Code, in force 2 January 2022, as amended by FDL 36/2022), confiscation of proceeds. Critically, FDL 10/2025 removes any statute of limitations for money laundering where it is connected to proliferation financing as a predicate offence, meaning historical transactions remain permanently within the investigative and prosecutorial perimeter. The CBUAE, exercising powers under CBUAE Law No. 6/2025, can itself impose administrative fines of up to AED 1 billion for systemic or aggravated violations by licensed financial institutions.
For boards and audit committees, the personal liability provision requires a reassessment of governance structures. Directors cannot rely on delegation to the compliance function as a complete shield; FDL 10/2025 requires that the board itself approve the CPF risk assessment and the firm's overall CPF compliance programme. This means board minutes, risk committee papers, and governance documentation must affirmatively evidence CPF oversight — not merely generic AML/CFT sign-off. In regulatory investigations and enforcement proceedings conducted under Federal Decree-Law 38/2022 (Criminal Procedure Law), prosecutors will request this documentation as a primary line of inquiry into individual culpability.
Deferred prosecution, settlement, and voluntary disclosure mechanisms exist but are narrow. A regulated entity that identifies CPF control failures and self-reports to its supervisor before regulatory detection is likely to receive more favourable treatment than one discovered through examination or third-party intelligence — but FDL 10/2025 does not codify a formal voluntary disclosure reduction in the same way that Corporate Tax law (FDL 47/2022 and Cabinet Decision 129/2025) does for tax defaults. Legal counsel should be engaged before any self-reporting communication is made, to structure the disclosure in a manner that maximises mitigation and minimises admissions.
Sector-Specific Application: VASPs, DNFBPs, Trade Finance, and Free Zones
The CPF obligations under FDL 10/2025 and Cabinet Resolution 134/2025 do not apply uniformly; their practical weight varies significantly by sector. Virtual Asset Service Providers regulated by VARA under the VARA Rulebooks 2.0 (May 2025) face a particularly demanding CPF framework. The Travel Rule threshold under Cabinet Resolution 134/2025 is set at AED 3,500 for virtual asset transfers, requiring originator and beneficiary information to be transmitted and retained. VASPs must incorporate CPF risk factors into their transaction monitoring algorithms — not merely sanctions screening — and must assess whether virtual assets could be used to circumvent proliferation-related TFS through layering or conversion. The DIFC Digital Assets Law 2/2024, which classifies crypto assets as property, creates additional complexity for DIFC-based platforms in managing asset freezing obligations arising from TFS matches.
DNFBPs, particularly real estate brokers and dealers in precious metals and stones, face heightened scrutiny because the UAE National Risk Assessment identifies these sectors as primary CPF exposure points. A real estate broker facilitating the acquisition of high-value property by a corporate vehicle with opaque beneficial ownership — assessed against Cabinet Decision 109/2023's 25% beneficial ownership test — must now overlay a CPF lens on the customer risk rating. If the corporate vehicle's ultimate beneficial owner cannot be identified with the required confidence, and the transaction has geographic or sectoral CPF risk indicators, the broker faces both a SAR filing obligation and potential liability for proceeding with the transaction.
Trade finance and free zone entities present the most structurally complex CPF compliance challenge. A free zone company importing electronic components from one jurisdiction and re-exporting to another may have no independent obligation to verify end-use under UAE customs law, but its financing bank has an affirmative CPF due diligence obligation under FDL 10/2025 that requires it to understand the nature and destination of goods being financed. Where the bank cannot obtain satisfactory end-use certification or where red flags are present, it must decline to process the transaction and file an STR regardless of any commercial pressure. Banks operating correspondent banking relationships with free zone entities should revisit their CPF risk classifications for those relationships in light of the updated Executive Regulations.
Corporate service providers and law firms acting in a non-advisory capacity — for instance, forming companies, managing client accounts, or facilitating asset transfers — fall squarely within the DNFBP perimeter and carry CPF obligations proportionate to the nature of services provided. A legal practitioner forming a special purpose vehicle for a client engaged in defence-adjacent manufacturing must conduct CPF risk assessment as part of client onboarding, irrespective of whether the transaction itself appears routine. The professional privilege shield does not extend to CPF-related STR obligations under FDL 10/2025 where the lawyer is performing a transactional rather than purely advisory function.
Strategic Remediation: Building a Defensible CPF Compliance Programme
For regulated entities that have not yet integrated CPF as a standalone compliance pillar, the priority sequence is as follows. First, conduct an immediate gap analysis of existing AML/CFT policies, risk assessment documentation, and TFS screening processes against the specific CPF requirements of FDL 10/2025 and Cabinet Resolution 134/2025. This analysis should be documented and legally privileged where possible, as it will inform remediation decisions and may be relevant in any future regulatory examination. Second, commission a standalone CPF risk assessment using a methodology consistent with FATF Guidance on Proliferation Financing Risk Assessment (2021) as adapted to the UAE regulatory context. This document must be board-approved and should reflect the specific products, customers, geographies, and delivery channels of the business.
Third, review and update customer risk rating methodologies to incorporate CPF-specific indicators — including exposure to dual-use goods sectors, beneficial ownership structures that obscure ultimate control, and jurisdictional risk linked to proliferation-concern countries. Fourth, ensure that TFS screening systems are updated to include proliferation-specific lists (UNSC 1718 and 2231 committee consolidated lists) and are tested for accuracy and completeness at the frequency required by the CPF risk assessment. Fifth, implement or update staff training to cover CPF red flags and escalation procedures; Cabinet Resolution 134/2025 requires that training be role-specific and documented.
From a governance perspective, boards should ensure that CPF is a standing agenda item for the risk committee, that the CPF risk assessment is reviewed and re-approved at least annually, and that management information reporting on CPF-related STRs, TFS matches, and control testing is provided to board level. For firms operating across multiple jurisdictions, the CPF compliance programme must be calibrated to the UAE framework as the minimum standard, with local law variations documented and managed. Given that the FATF mutual evaluation of the UAE is scheduled for 2026, regulatory supervisors will be conducting intensive examination cycles throughout 2025 and 2026, and firms with incomplete CPF frameworks should anticipate heightened scrutiny.
Finally, firms should consider whether their contractual arrangements with counterparties — particularly in trade finance, correspondent banking, and VASP relationships — adequately address CPF obligations. Representations and warranties in financing agreements, correspondent banking agreements, and VASP-to-VASP arrangements should reflect the CPF compliance obligations of both parties under FDL 10/2025, and termination rights should be clearly preserved for CPF-related events of default. Failing to build CPF provisions into commercial contracts leaves firms exposed both regulatorily and commercially in the event a counterparty relationship gives rise to a CPF issue.
Practical checklist
- Commission a standalone CPF risk assessment compliant with Cabinet Resolution 134/2025 by Q1 2026.
- Obtain board-level approval of the CPF risk assessment and document it in board minutes.
- Update customer risk rating models to include dual-use goods sector and CPF-specific indicators.
- Screen all customers and beneficial owners against UNSC 1718 and 2231 proliferation TFS lists.
- Review trade finance and free zone client files for dual-use goods red flags and end-user documentation.
- Deliver role-specific CPF training to front-line, compliance, and senior management staff.
- Embed CPF representations and termination rights in correspondent banking and VASP agreements.
- Establish a documented escalation and no-tipping-off protocol for CPF-related STR filings.
What we'd typically advise
Our consistent advice to boards and GCs at this stage is straightforward: do not treat CPF as an extension of your existing AML/CFT programme — treat it as a parallel, standalone obligation with its own documentary requirements, risk assessment methodology, and board ownership. The personal liability provisions of FDL 10/2025 are not theoretical; regulators have signalled that CPF compliance will be a primary focus of examination cycles ahead of the 2026 FATF mutual evaluation.
If your firm has not yet produced a board-approved CPF risk assessment or updated its TFS screening to cover proliferation-specific lists, that gap should be closed before any regulatory contact occurs. Where legacy transactions or client relationships present CPF concern, early legal advice on structured voluntary disclosure — and on privilege protection for the internal investigation — is preferable to waiting for supervisory inquiry. The penalty arithmetic under FDL 10/2025 makes remediation far less costly than enforcement.
Frequently asked questions
Our firm already has an AML/CFT compliance programme approved under the old law. Does that satisfy CPF requirements under FDL 10/2025?
No. Federal Decree-Law 10/2025 (in force 14 October 2025) repeals FDL 20/2018 and introduces CPF as a standalone first-class obligation with requirements — including a separate CPF risk assessment and calibrated TFS screening — that did not exist under the prior regime. An AML/CFT programme that was fully compliant under FDL 20/2018 will not satisfy FDL 10/2025 without specific CPF enhancements mandated by Cabinet Resolution 134/2025. Firms must actively update their frameworks; there is no grandfathering provision.
We are a free zone trading company, not a bank. Do the CPF obligations in FDL 10/2025 apply to us?
Potentially yes, depending on your activities. If your free zone company falls within the DNFBP categories — for instance, because you deal in precious metals, stones, or high-value goods — or if you provide corporate or financial services, you are within the regulatory perimeter of FDL 10/2025. Even if your entity is not itself a DNFBP, the financial institutions financing your trade transactions have CPF due diligence obligations that will require them to understand the nature of your goods and end-users. Indirect CPF compliance pressure through banking relationships is significant for free zone traders.
What is the difference between the TFS screening obligation for CFT and for CPF?
Both obligations require screening against designated lists, but they are legally distinct under FDL 10/2025 and Cabinet Resolution 134/2025. CFT screening covers terrorism-related designations; CPF screening specifically covers UN Security Council proliferation-related designations — principally the UNSC 1718 Committee (DPRK) and UNSC 2231 (Iran) consolidated lists. Cabinet Resolution 134/2025 requires that proliferation-specific lists be separately incorporated into screening systems and that screening frequency and depth be calibrated by the firm's standalone CPF risk assessment, not the general TFS framework.
Can a senior manager be personally prosecuted for a CPF failure even if they were unaware of the underlying transaction?
Yes, in certain circumstances. FDL 10/2025 imposes personal liability on managers who were responsible for the entity's management at the time of a violation. Criminal prosecution under Federal Decree-Law 31/2021 (Penal Code) requires proof of knowledge or intent, but administrative sanctions under FDL 10/2025 can attach to negligent oversight — including failure to implement required CPF controls, failure to obtain board approval of the CPF risk assessment, or failure to ensure adequate TFS screening systems. The standard is not subjective knowledge of a specific transaction but objective failure to discharge governance obligations.
We process trade finance for clients importing electronic components through UAE free zones. What specific CPF due diligence steps are required?
Under FDL 10/2025 and Cabinet Resolution 134/2025, you must: (i) assess whether the components appear on applicable dual-use goods control lists; (ii) verify the identity and legitimacy of the end-user through end-use certification where appropriate; (iii) screen all counterparties against UNSC proliferation TFS lists; (iv) assess whether the transaction route, payment structure, or end-user jurisdiction presents CPF red flags; and (v) file an STR with the UAE FIU if suspicion arises. Proceeding without these steps, where a CPF risk has been identified in your risk assessment, creates both regulatory and personal liability exposure.
If we identify a historic transaction that may have involved proliferation financing, should we self-report? Is there a limitation period?
FDL 10/2025 removes the statute of limitations for money laundering connected to proliferation financing as a predicate offence, meaning there is no safe harbour from historic exposure based on time. Whether to self-report is a strategic legal decision that requires careful analysis of the specific facts, the strength of evidence, and the likely regulatory response. Early legal advice is essential before any disclosure is made. Self-reporting before regulatory detection typically results in more favourable treatment, but the disclosure must be structured carefully to avoid creating admissions that extend liability beyond the specific conduct reported.
Our VASP is regulated by VARA. Do we have CPF obligations in addition to our standard VARA compliance requirements?
Yes. VASPs regulated under VARA Rulebooks 2.0 (May 2025) must comply with both VARA's specific requirements and the overarching CPF obligations of FDL 10/2025 and Cabinet Resolution 134/2025 as federal law. The Travel Rule threshold under Cabinet Resolution 134/2025 is AED 3,500 for virtual asset transfers. CPF-specific risk factors must be embedded in transaction monitoring algorithms, and TFS screening must cover proliferation designation lists in addition to terrorism-related lists. The DIFC Digital Assets Law 2/2024 classification of crypto as property has implications for asset freezing obligations when a TFS match is identified in a DIFC-based platform context.
How will the 2026 FATF mutual evaluation affect CPF enforcement in the UAE?
The 2026 FATF mutual evaluation will assess both the technical compliance of UAE law with FATF Recommendations — particularly Recommendation 1 on CPF risk assessment — and the effectiveness of implementation across regulated sectors. Following the UAE's removal from the FATF grey list in February 2024, UAE supervisors are under significant domestic and international pressure to demonstrate robust CPF enforcement outcomes, not merely legislative compliance. Examination cycles by the Central Bank, the Ministry of Economy, and the CMA (under FDL 32/2025 from 1 January 2026) in 2025 and 2026 are expected to prioritise CPF as a thematic focus. Firms with incomplete CPF frameworks face materially elevated examination risk in this period.
Related guides
Published 15 July 2026. General information only — not legal advice. Contact us for matter-specific advice.