GCC Approves Corporate Criminal Liability Guide and AML Strategy for 2026-2030

{getToc} $title={Table of Contents}

GCC approves new guide on corporate criminal liability. Essential governance updates for regional businesses.

The GCC Supreme Council formally approved a Guide on Corporate Criminal Liability for Corruption Crimes at its 46th session in Manama in December 2025.
A companion Guide on Parallel Financial Investigations in Corruption Crimes was endorsed at the same session, signalling coordinated enforcement across borders.
The new GCC Security Strategy for Combating Money Laundering Crimes 2026-2030 is built around five operational pillars including joint task forces and AI-enabled financial analysis.
UAE corporate criminal liability already exists under Federal Decree-Law No. 31 of 2021, covering bribery, fraud, forgery, and related offences committed via company structures.
Designated Non-Financial Businesses and Professions (DNFBPs) face heightened obligations including customer due diligence, suspicious transaction reporting, and board-level accountability.
Cross-border groups operating across multiple GCC states should review governance frameworks and stress-test for exposures that could trigger multi-jurisdictional parallel investigations.

GCC Supreme Council Raises the Bar on Corporate Accountability Across the Region

The approvals issued by the GCC Supreme Council in December 2025 represent a significant step toward a unified Gulf-wide enforcement framework. For UAE businesses, this development sits alongside existing obligations under Federal Decree-Law No. 31 of 2021 - the UAE's New Penal Code - which already embeds corporate criminal liability for corruption offences. The new GCC-level instruments reinforce and extend that domestic baseline by creating shared regional standards and coordinated investigative tools.

The corporate services sector, financial intermediaries, and businesses classified as Designated Non-Financial Businesses and Professions (DNFBPs) - including lawyers, accountants, real estate brokers, and dealers in precious metals - face the sharpest implications. These entities now operate within a tightening web of national and regional obligations, where a compliance failure in one GCC jurisdiction can quickly attract scrutiny in others through parallel financial investigations and coordinated asset measures.

What the GCC Supreme Council Approved

At its forty-sixth session in Manama, Bahrain on 3 December 2025, the GCC Supreme Council issued a final statement approving three significant instruments. The first is the Guide on Corporate Criminal Liability for Corruption Crimes. The second is the Guide on Parallel Financial Investigations in Corruption Crimes. The third is the GCC Security Strategy for Combating Money Laundering Crimes for the period 2026-2030.

The Council's statement praised member states for progress in "strengthening the tools of governance, transparency, accountability, integrity and combating corruption through joint Gulf action." The framing is deliberate - corporate accountability is explicitly linked to regional security and economic stability, not treated as a standalone regulatory exercise. According to the GCC Secretariat General, global estimates place annual money laundering volumes at between 2% and 5% of global GDP, equivalent to roughly USD 800 billion to USD 2 trillion, and the GCC's economic openness makes it a priority target for mitigation.

The 2026-2030 AML Strategy: Five Pillars

The new GCC Security Strategy for Combating Money Laundering Crimes is structured around five pillars. The first focuses on developing supportive legislation, closing loopholes, and ensuring effective coordination between interior ministries and financial and regulatory authorities. The second emphasises joint operations and Gulf task forces conducting coordinated investigations across member states.

The third pillar covers technology and security analysis, including investment in artificial intelligence, financial data analytics, and secure electronic information-sharing links between competent authorities. The fourth addresses tracing and confiscation mechanisms for illicit funds linked to drugs, corruption, terrorism, and human trafficking - including joint asset seizure and international recovery cooperation. The fifth pillar centres on staff training, unified operational manuals, and awareness campaigns targeting high-risk sectors. For regional businesses, pillars three and four are particularly relevant: they signal that regulators will deploy advanced analytics to detect suspicious patterns and move quickly to freeze and confiscate assets.

Corporate Criminal Liability: What It Means in Practice

The full text of the Guide on Corporate Criminal Liability for Corruption Crimes has not yet been published. However, based on global norms it is expected to follow the well-established principle that a company is criminally liable where an individual acted in its name or for its benefit - and where the firm failed to implement adequate procedures to prevent the misconduct.

In the UAE, this framework is already active under Federal Decree-Law No. 31 of 2021. Commentary on that legislation, published by Charles Russell Speechlys, confirms that corporate criminal liability provides prosecutors with a structured pathway to charge companies alongside individuals. Risk areas identified in that analysis include bribery and corruption in procurement, fraud, breach of trust, forgery in financial processes, cyber-enabled offences using corporate systems, and obstruction or evidence tampering. Where those offences are proven, companies can face fines, confiscation of assets, suspension of licences, and other sanctions.

DNFBP Obligations and Personal Liability

Across the GCC, AML regimes impose stringent requirements on DNFBPs. These businesses must implement customer due diligence (CDD - the process of verifying client identity and assessing their risk profile), maintain detailed records, file suspicious transaction reports, and operate documented AML programmes overseen by a designated compliance officer. Regular risk assessments and staff training are also mandatory, with senior management bearing direct accountability for the effectiveness of compliance controls.

In the UAE, the "zero-tolerance" approach to AML enforcement already places particular emphasis on personal liability for professionals such as accountants and auditors. Accounting and audit firms must register on the goAML portal, file suspicious transaction and suspicious activity reports promptly, and retain records for at least ten years. Failure exposes both firms and responsible individuals to fines, sanctions, and potential criminal prosecution - a liability exposure that the new GCC instruments will only intensify as regional enforcement becomes more coordinated.

What UAE Firms Should Do Now

The GCC Supreme Council's decisions have several direct implications for UAE corporate services providers, financial intermediaries, and DNFBPs. Internal governance frameworks should be reviewed to ensure they clearly assign responsibility for anti-corruption and AML compliance, including board-level oversight and documented authority lines for compliance functions. Existing anti-bribery and AML policies should be assessed against both UAE legal standards and emerging GCC-level benchmarks, particularly around risk assessment and third-party management.

Cross-border operating models deserve specific attention. Where group structures or shared service centres span multiple GCC states, businesses should stress-test for exposures that could trigger parallel investigations or coordinated sanctions. The new UAE Capital Market Authority (CMA) - which replaced the Securities and Commodities Authority (SCA) from 1 January 2026 - has already signalled more intensive, risk-based supervision. Combined with the new GCC frameworks, firms should expect heightened scrutiny of governance, compliance documentation, and personal accountability at senior management level.

Practical next steps are likely to include: conducting group-wide corruption and AML risk assessments that incorporate GCC-level developments; documenting and testing "adequate procedures" to prevent bribery; refreshing staff training with GCC-specific content; and preparing compliance teams to respond to multi-jurisdictional information requests and potential coordinated asset measures.

What Clients are Asking their Advisors

What does the new GCC corporate criminal liability guide mean for my company?

It establishes how GCC member states will attribute legal responsibility to corporate entities - not just individuals - when corruption offences are committed in their name or for their benefit. Companies can face prosecution, fines, and sanctions where an employee or agent acted corruptly and the firm lacked adequate prevention procedures. The guide aligns Gulf practice with a well-established global principle already embedded in UAE law under Federal Decree-Law No. 31 of 2021.

Which businesses in the UAE count as DNFBPs under AML rules?

Designated Non-Financial Businesses and Professions (DNFBPs) include lawyers, accountants, real estate brokers, dealers in precious metals and gemstones, and certain corporate service providers. These businesses carry the same core AML obligations as regulated financial firms - customer due diligence, record-keeping, and suspicious transaction reporting. Non-compliance can result in fines, licence revocation, and criminal liability for responsible individuals.

How does the new GCC AML strategy differ from existing national AML frameworks?

The 2026-2030 strategy introduces a coordinated regional approach that goes beyond what individual member states have operated independently. It creates joint GCC task forces, coordinated asset seizure operations, and shared intelligence systems using AI and financial data analytics. This means an investigation opened in one GCC state could directly trigger parallel enforcement measures in others - a significant escalation for cross-border businesses.

What personal liability risks do compliance officers face under these new GCC frameworks?

Senior management bear direct responsibility for the effectiveness of AML compliance programmes, and failures can result in administrative fines, business suspension, licence revocation, and - in serious cases - criminal prosecution of responsible individuals. The UAE's existing zero-tolerance AML enforcement stance already targets personal accountability for professionals such as accountants and auditors. The new GCC frameworks extend this pressure across all six member states in a coordinated manner.