What this guide covers
- The Regulatory Landscape: Three Regimes, One Group
- ADGM's Mandatory 2024 Whistleblowing Regime: Minimum Standards
- DIFC: Employment Protection, DFSA Obligations and Practical Gaps
- Onshore UAE: Navigating the Gap Without a Dedicated Statute
- Designing a Single Group Speak-Up Framework: Architecture and Governance
- Investigation Procedure: Confidentiality, Fairness and Evidentiary Integrity
- Consequences of Non-Compliance: Regulatory, Criminal and Civil Exposure
- Practical checklist
- What we'd typically advise
- Frequently asked questions
A single group whistleblowing programme spanning onshore UAE, DIFC and ADGM is now a regulatory necessity, not a policy aspiration. ADGM's mandatory 2024 regime, DIFC's disclosure architecture and the onshore patchwork impose different but overlapping obligations that must be reconciled before the next regulator visit.
The Regulatory Landscape: Three Regimes, One Group
No single federal statute in the UAE establishes a comprehensive whistleblower protection framework equivalent to, say, the UK's Public Interest Disclosure Act. Instead, protection and obligation arise from a layered matrix of federal criminal law, financial-sector regulation, and free-zone rulebooks. For a group operating across onshore UAE, the DIFC and ADGM, this means three distinct but increasingly convergent regimes must be mapped simultaneously.
At the federal level, the primary sources are Federal Decree-Law 31/2021 (the Penal Code, in force 2 January 2022, as amended by FDL 36/2022) and Federal Decree-Law 38/2022 (the Criminal Procedure Law, in force 1 March 2023, as amended by FDL 45/2023). The Penal Code creates criminal exposure for those who receive a disclosure and then victimise the discloser — retaliatory dismissal or harassment of a reporter can constitute an offence under the general provisions on abuse of authority and coercion. Federal Decree-Law 10/2025 (the AML/CFT/CPF Law, in force 14 October 2025, which repeals FDL 20/2018) introduces a mandatory suspicious transaction reporting obligation with explicit tipping-off prohibitions and personal criminal liability for compliance managers who fail to file reports — a structural whistleblowing duty embedded in financial-crime law.
Within the DIFC, the Employment Law (DIFC Law No. 2 of 2019, as amended) prohibits detrimental treatment of an employee who makes a protected disclosure, and the DFSA Rulebook — specifically the Conduct of Business Module and the Supervision Module — imposes obligations on regulated firms to maintain and publicise internal reporting channels. In ADGM, the Financial Services Regulatory Authority's Market Conduct Rulebook and the 2024 amendments to the FSRA's Supervision and Enforcement framework introduced a mandatory whistleblowing policy requirement for all Category 1, 2, 3A and 3B authorised firms, with prescribed minimum content and board-level accountability. This is the most structured of the three regimes and sets the standard to which a unified programme should aspire.
For groups that also operate onshore UAE entities regulated by the Central Bank (under CBUAE Law No. 6/2025, which allows administrative fines up to AED 1 billion) or the newly constituted Capital Markets Authority under Federal Decree-Law 32/2025 (which replaces the SCA from 1 January 2026), additional sector-specific reporting channels and anti-retaliation expectations apply. The CMA framework, supported by FDL 33/2025 on insider dealing and market manipulation (penalties reaching AED 200 million), explicitly incentivises voluntary disclosure and cooperation — a functional analogue to whistleblowing in the capital-markets context.
ADGM's Mandatory 2024 Whistleblowing Regime: Minimum Standards
ADGM's 2024 amendments represent the most prescriptive whistleblowing regime currently operative in the UAE and should anchor any group-wide framework. The FSRA's updated Supervision and Enforcement Rules require that every authorised firm in Categories 1, 2, 3A and 3B maintain a written whistleblowing policy approved at board level. The policy must identify a dedicated receiving function — typically a senior independent officer or external counsel — with direct access to the board audit committee, bypassing executive management where the concern implicates senior leadership.
The ADGM framework mandates at minimum: (i) a confidential reporting channel accessible to employees, contractors and certain counterparties; (ii) an obligation to acknowledge receipt within a defined period; (iii) a prohibition on identifying the reporter to any person not strictly necessary to the investigation; (iv) a non-retaliation covenant enforceable through ADGM's Employment Regulations; and (v) an annual report to the board detailing the number of disclosures received, their subject matter, disposition, and any retaliation complaints. Firms that fail to maintain a compliant policy or that demonstrate a pattern of deterring reports risk supervisory action, including conditions on their financial services permission and referral for enforcement under the FSRA's powers.
Critically, ADGM's regime does not confine protected disclosures to financial-crime matters. Concerns regarding governance failures, conflicts of interest, regulatory non-compliance, and significant risk-management deficiencies are all within scope. This breadth is intentional — the FSRA's 2024 consultation responses made clear that the regime is designed to surface systemic governance risks before they crystallise into enforcement events. For group compliance officers, this means the ADGM policy cannot be a narrow AML-reporting annex: it must be a genuine speak-up framework covering the full spectrum of regulatory and ethical concerns.
The board accountability element is non-negotiable. The ADGM rules require that the policy be reviewed and reapproved by the board not less than annually, and that any material change to the receiving function or escalation path be notified to the FSRA. Where the concern implicates a board member, the policy must specify an alternative escalation route — typically directly to the FSRA's supervision team — and this route must be genuinely operational, not merely stated on paper. Firms discovered to have nominal escalation paths that bypass real accountability will find little regulatory sympathy in enforcement proceedings.
DIFC: Employment Protection, DFSA Obligations and Practical Gaps
The DIFC's whistleblowing architecture rests on two distinct pillars: employment law protection for individual disclosers, and regulatory obligation on authorised firms. DIFC Employment Law No. 2 of 2019 (as amended) provides that an employee who makes a protected disclosure — defined broadly to include concerns about legal violations, dangers to health and safety, and regulatory non-compliance — must not suffer any detriment including dismissal, demotion, reduction in remuneration, or exclusion from opportunity. A dismissed employee who establishes that the protected disclosure was the reason or principal reason for dismissal is entitled to reinstatement or, where reinstatement is refused, compensation assessed by the DIFC Courts without the statutory cap applicable to ordinary unfair dismissal.
The DFSA's regulatory obligations apply specifically to Authorised Firms and Authorised Market Institutions. The DFSA Rulebook's Supervision Module (SUP) requires firms to have adequate systems and controls for reporting concerns internally and, where appropriate, to the DFSA directly. The Conduct of Business Module (COB) reinforces this with obligations around conflicts of interest and the integrity of reporting lines. However — and this is a material gap relative to ADGM — the DFSA does not presently mandate a standalone whistleblowing policy document with prescribed minimum content. The obligation is expressed in terms of 'adequate arrangements', giving firms more flexibility but also more uncertainty about what will satisfy the regulator on inspection.
A further DIFC-specific consideration arises in connection with market abuse. FDL 33/2025 codifies insider-dealing and manipulation offences with penalties up to AED 200 million and applies to conduct on UAE-regulated markets regardless of where the firm is located. Where a DIFC-based employee becomes aware of potential market abuse by a colleague or counterparty, the intersection of DFSA reporting obligations, the DIFC employment protection regime, and the federal criminal framework under FDL 33/2025 creates a complex multi-regulator environment. The group policy must specify clearly which channel governs, who receives the report, and how the firm coordinates any mandatory regulatory notification without inadvertently tipping off the subject — itself a criminal offence under FDL 10/2025 Article provisions on tipping-off in AML contexts.
One frequently overlooked DIFC mechanism is the DIFC Courts' jurisdiction over employment disputes. An employee who suffers retaliation for a protected disclosure may bring a claim before the DIFC Courts Small Claims Tribunal (for claims up to USD 200,000) or the DIFC Courts proper for larger claims, and may seek interim injunctive relief pending the substantive hearing. Given the DIFC Courts' procedural efficiency and English-language common-law process, this route is meaningfully accessible in a way that onshore labour proceedings often are not for senior executives.
Onshore UAE: Navigating the Gap Without a Dedicated Statute
Outside the two financial free zones, the UAE lacks a dedicated whistleblower protection statute analogous to those in common-law jurisdictions. This creates a genuine gap that practitioners and boards must address deliberately. The principal protections available onshore derive from: (i) sector-specific regulatory obligations; (ii) general criminal prohibitions on retaliation; and (iii) contractual mechanisms within employment documentation.
On the regulatory side, FDL 10/2025 (the AML/CFT/CPF Law) is the most consequential instrument. Article provisions impose mandatory suspicious transaction reporting obligations on financial institutions, designated non-financial businesses and professions (DNFBPs) and virtual asset service providers regulated by VARA under the VARA Rulebooks 2.0 (May 2025). The tipping-off prohibition under FDL 10/2025 operates in both directions: a person who files a report must not disclose that fact to the subject, and an employer who subjects a reporting employee to adverse treatment risks criminal liability as well as regulatory sanction. Cabinet Resolution 134/2025 (the Executive Regulations, in force 14 December 2025) adds granular procedural requirements on STR filing and sets the Travel Rule threshold at AED 3,500 for virtual asset transfers — relevant for groups with VARA-licensed entities.
For onshore entities subject to CBUAE supervision (Law No. 6/2025), the Central Bank's anti-money laundering and governance circulars impose internal reporting and escalation requirements functionally similar to a whistleblowing obligation. A bank employee who files an internal STR and is subsequently dismissed faces a legal landscape in which the Federal Labour Law (Federal Decree-Law 33/2021) provides basic unfair dismissal protection but does not specifically address protected disclosures. The practical remedy — an arbitration claim or Ministry of Human Resources referral — is less powerful than the DIFC or ADGM equivalents, making contractual non-retaliation provisions in employment agreements essential for onshore senior hires.
The onshore capital markets environment changes materially from 1 January 2026 when the CMA assumes the SCA's functions under FDL 32/2025. FDL 33/2025, which codifies market abuse offences and penalties up to AED 200 million, is expected to be accompanied by CMA rules that import a more structured market-abuse reporting and cooperation incentive framework. Groups should monitor CMA rule-making through 2025-2026 and incorporate anticipated CMA requirements into the unified policy from the outset rather than retrofitting later.
Designing a Single Group Speak-Up Framework: Architecture and Governance
A unified programme must satisfy the most demanding of the three regimes — ADGM's mandatory framework — while being calibrated to the practical realities of each jurisdiction. The starting point is a single group-level whistleblowing policy, approved by the group board (or, for UAE-listed entities, the group audit committee with board ratification under the governance requirements of FDL 32/2025), with jurisdiction-specific annexes that address local law requirements. This architecture avoids the compliance risk of inconsistent messaging and ensures that an employee reporting from any entity receives substantively equivalent protection.
The governance layer requires: (a) a Group Speak-Up Officer (GSUO), typically the General Counsel or a designated independent senior officer, with a direct reporting line to the board audit committee; (b) entity-level Speak-Up Officers for the DIFC and ADGM entities, who must be individuals approved or acceptable to the DFSA and FSRA respectively; (c) an external reporting channel — a third-party hotline with multilingual capacity — that allows anonymous reports and does not route through any person who might be the subject of a concern; and (d) a documented triage and investigation protocol that specifies, for each category of concern, whether the matter is handled internally, escalated to a regulator, or referred to external counsel.
The triage protocol must address the AML/CFT dimension specifically. Under FDL 10/2025 and Cabinet Resolution 134/2025, the obligation to file an STR with the UAE Financial Intelligence Unit is mandatory and time-sensitive — delay itself carries liability. The protocol must specify that AML concerns are routed immediately to the MLRO and do not await the conclusion of any internal whistleblowing investigation. The tipping-off prohibition means that the GSUO and MLRO must operate a strict information barrier: the reporter must be protected, the subject must not be alerted, and the regulator must be notified before (not after) any internal confrontation with the subject.
For groups with exposure to the new federal capital-markets framework under FDL 32/2025 and FDL 33/2025, the unified policy should include a specific market-abuse escalation path. Where a concern relates to potential insider dealing or market manipulation — offences carrying penalties up to AED 200 million under FDL 33/2025 — the policy should specify mandatory escalation to the GSUO and external legal counsel within 24 hours of receipt, with a presumption in favour of voluntary disclosure to the CMA (from 1 January 2026) or the DFSA where the concern relates to a DIFC-regulated entity. Voluntary disclosure and cooperation are consistently rewarded in UAE enforcement practice and should be embedded structurally in the programme, not left to ad hoc judgment.
Investigation Procedure: Confidentiality, Fairness and Evidentiary Integrity
Once a concern is received and triaged, the investigation must be conducted in a manner that preserves: (i) the confidentiality of the reporter to the extent legally possible; (ii) the procedural fairness rights of the subject; and (iii) the evidentiary integrity of materials that may ultimately be used in regulatory or criminal proceedings under FDL 38/2022 (the Criminal Procedure Law) or before the DIFC or ADGM courts. These three objectives are in tension, and managing that tension is the central skill of the internal investigation.
Confidentiality is not absolute. Where the investigation requires interviewing witnesses or reviewing systems that the subject has access to, there is a practical risk of identification. The investigation protocol should front-load document preservation — placing a litigation hold on relevant electronic records before any interview takes place — and should use only investigators (whether internal or external counsel) who are independent of the subject and the relevant business unit. Legal professional privilege must be claimed from the outset where external counsel is retained to conduct or oversee the investigation: privilege established under the laws of a common-law jurisdiction such as England and Wales is generally recognised in DIFC and ADGM proceedings, but its status in onshore UAE criminal proceedings under FDL 38/2022 is less certain and should be addressed with local counsel before any materials are created.
The subject of the investigation retains rights under UAE law that must be respected. Under the onshore framework, the UAE Constitution and FDL 38/2022 guarantee minimum procedural rights in criminal proceedings, and the DIFC Employment Law imposes a duty of fair process before any disciplinary sanction. The investigation report should be structured to distinguish clearly between: findings of fact (supported by documentary evidence and witness accounts); inferences drawn from those facts; and recommendations for action. This structure is essential if the report must later be presented to a regulator, a court, or an arbitral tribunal.
Where the investigation concludes that a concern was made in good faith but is not substantiated, the policy must specify that no adverse action is taken against the reporter. Where the concern is found to have been made maliciously and without reasonable basis, the group retains disciplinary discretion — but this must be exercised carefully. Under ADGM's framework, any disciplinary action against a reporter must be documented as unrelated to the protected disclosure itself, and the FSRA expects that such cases are reported in the annual board return on whistleblowing activity. A pattern of disciplining reporters — even purportedly for unrelated conduct — will attract regulatory scrutiny.
Consequences of Non-Compliance: Regulatory, Criminal and Civil Exposure
The consequences of an inadequate whistleblowing programme — or of retaliating against a discloser — are now sufficiently severe across all three regimes to justify substantial investment in getting the framework right. At the regulatory level, an ADGM-authorised firm that fails to maintain a compliant policy faces conditions on its financial services permission, public censure, and fines under the FSRA's enforcement framework. A DFSA-regulated firm in DIFC faces equivalent supervisory action under the DFSA Rulebook. Onshore, CBUAE Law No. 6/2025 empowers the Central Bank to impose administrative fines up to AED 1 billion for regulatory failures by licensed financial institutions — a figure that gives compliance failures existential significance for smaller institutions.
The AML/CFT dimension carries the sharpest personal liability. Under FDL 10/2025, compliance managers bear personal criminal liability for failures in STR filing obligations — including failures attributable to a culture in which reporters are discouraged from surfacing concerns. Cabinet Resolution 134/2025 extends this personal liability framework to senior managers in designated categories of financial institution and VASP. Fines under FDL 10/2025 reach AED 100 million at the institutional level, with criminal imprisonment for individuals. The removal of any statute of limitations for money laundering under FDL 10/2025 means that historical failures in reporting culture can be investigated and prosecuted without temporal limit.
For capital-markets participants, FDL 33/2025 codifies insider-dealing and manipulation offences with penalties up to AED 200 million. An employee who makes a protected disclosure about suspected market abuse and is subsequently dismissed faces potential claims before both the DIFC Courts (if DIFC-employed) and, from 2026, the CMA's enforcement architecture onshore. The group's exposure in such a case extends beyond the employment claim: if the regulator concludes that the retaliation was intended to suppress a market-abuse disclosure, this fact will be an aggravating factor in any enforcement action against the firm.
Civil exposure onshore arises under the Federal Labour Law (FDL 33/2021) for wrongful dismissal, but the remedies — generally capped at a multiple of last salary — are less deterrent than DIFC or ADGM remedies. The more potent onshore civil mechanism is a claim under the Penal Code provisions on abuse of authority or coercion (FDL 31/2021), which can result in criminal conviction of the individual manager who authorised the retaliatory action. For senior executives, this personal criminal exposure is the most powerful argument for taking speak-up obligations seriously. It is also the argument most likely to secure board attention and resource commitment for the unified programme.
Practical checklist
- Obtain board-level approval of a unified group whistleblowing policy covering all three jurisdictions
- Appoint a Group Speak-Up Officer with a direct reporting line to the board audit committee
- Ensure the ADGM entity policy satisfies all FSRA 2024 mandatory minimum content requirements
- Establish an anonymous third-party hotline accessible to employees, contractors and counterparties
- Document a triage protocol that routes AML/CFT concerns immediately to the MLRO under FDL 10/2025
- Include a market-abuse escalation path with a 24-hour escalation presumption under FDL 33/2025
- Conduct an annual board review of disclosures received, outcomes and any retaliation complaints
- Ensure employment contracts for onshore senior hires include explicit contractual non-retaliation provisions
What we'd typically advise
In our experience advising regulated groups across the UAE, the programmes that fail are those built as compliance artefacts rather than genuine cultural instruments. The ADGM regime gives you the architecture; use it as the floor for the entire group, not a ceiling for the free-zone entity alone. The tipping-off and personal-liability provisions of FDL 10/2025 mean that a compliance manager who allows a retaliatory culture to persist is personally at risk of criminal prosecution — that message must reach every level of management.
We consistently recommend that groups commission a confidential gap analysis against ADGM's 2024 requirements before the next regulatory inspection cycle, and that the unified policy be stress-tested with a simulated disclosure exercise. The investment is modest relative to the regulatory, criminal and reputational exposure that a deficient programme creates under the current UAE enforcement environment.
Frequently asked questions
Does onshore UAE law actually protect a whistleblower who reports their employer to a regulator?
Not through a dedicated statute. Onshore protection is piecemeal: FDL 10/2025 prohibits retaliation against STR reporters through its tipping-off and obstruction provisions, and the Penal Code (FDL 31/2021) criminalises coercion and abuse of authority by a manager who retaliates. The Federal Labour Law (FDL 33/2021) provides unfair-dismissal remedies but does not specifically protect protected disclosures. For onshore employees, contractual non-retaliation provisions and the criminal exposure of the retaliating manager are the most practical protections currently available.
Is an anonymous report to our internal hotline genuinely protected under ADGM rules?
Yes. ADGM's 2024 mandatory framework requires that the policy accommodate anonymous reports and that the receiving function takes no steps to identify the reporter beyond what is strictly necessary to investigate the concern. A firm that attempts to identify an anonymous reporter without regulatory necessity risks enforcement action from the FSRA and, if the reporter is identified and suffers detriment, an employment claim under ADGM's Employment Regulations. The policy must state expressly that anonymous reports will be investigated on their merits.
What happens if a whistleblower's concern turns out to be mistaken or only partially correct?
Protection under both DIFC Employment Law No. 2/2019 and ADGM's framework extends to concerns raised in good faith, regardless of whether the concern is ultimately substantiated. A reporter who genuinely believed the disclosed facts and reported through the designated channel retains full protection even if an investigation concludes that no wrongdoing occurred. Only a concern demonstrated to have been made maliciously and without reasonable basis may attract disciplinary consequences — and even then, ADGM requires that any such action be documented separately from the disclosure itself.
Our ADGM entity is a Category 4 firm — are we exempt from the mandatory whistleblowing policy requirement?
The FSRA's 2024 mandatory policy requirement applies to Categories 1, 2, 3A and 3B. Category 4 (representative offices and certain limited-activity firms) are not expressly within scope of the mandatory minimum. However, the FSRA's broader systems-and-controls expectations and the ADGM Employment Regulations' non-retaliation provisions apply to all authorised entities. Adopting a compliant policy voluntarily, even for a Category 4 firm, materially reduces regulatory and employment risk and signals governance maturity to the FSRA on any future application to upgrade your licence.
Can a whistleblower go directly to the DFSA or FSRA without first using the internal channel?
Yes. Both the DFSA and FSRA maintain direct reporting mechanisms for individuals who wish to raise concerns about regulated firms. Neither regulator requires exhaustion of internal remedies before accepting a report. In practice, the FSRA's 2024 framework specifically mandates that firms include in their policy an explicit statement that employees may report directly to the FSRA without prior internal escalation, and that doing so will not constitute a breach of confidentiality obligations owed to the firm. Suppressing or discouraging direct regulator contact is itself a regulatory offence.
How does the AML mandatory reporting obligation interact with our internal whistleblowing process?
They are parallel, not sequential. Under FDL 10/2025 and Cabinet Resolution 134/2025, a Reporting Entity's MLRO has an independent, mandatory obligation to file an STR with the UAE FIU within the prescribed period once there are reasonable grounds for suspicion. This obligation is not contingent on completion of an internal whistleblowing investigation and is not satisfied by raising the concern through the speak-up channel alone. The unified policy must route AML concerns simultaneously to both the GSUO (for reporter protection and governance tracking) and the MLRO (for FIU filing), with an information barrier between the two tracks to prevent tipping-off under FDL 10/2025.
If a senior executive is the subject of the concern, who investigates and how is independence maintained?
Both ADGM's mandatory framework and sound governance practice require an alternative escalation path where the concern implicates a senior officer. The ADGM policy must specify this route — typically direct escalation to the board chair or audit committee chair, bypassing management entirely, with the option of direct notification to the FSRA. External independent counsel should be retained to conduct or supervise the investigation to ensure independence. Under FDL 31/2021 (Penal Code), a senior executive who interferes with an investigation into their own conduct risks criminal liability for obstruction, which is a powerful structural incentive to maintain genuine independence.
How should we handle a concern that involves potential insider dealing under the new FDL 33/2025?
FDL 33/2025 codifies insider-dealing and market-manipulation offences with penalties up to AED 200 million and applies to conduct on UAE-regulated markets. A concern of this nature should trigger immediate escalation to the GSUO and external legal counsel, a trading halt or restriction on the relevant accounts if operationally feasible, and a privileged preliminary assessment of whether a voluntary disclosure to the CMA (from 1 January 2026 under FDL 32/2025) or DFSA (for DIFC entities) is required. Voluntary disclosure and proactive cooperation are recognised mitigating factors in UAE enforcement practice and should be considered within the first 24 hours of the concern being substantiated at even a preliminary level.
Related guides
Published 15 July 2026. General information only — not legal advice. Contact us for matter-specific advice.