UAE AML Zero-Tolerance 2026: Personal Liability Risks for Accountants and Auditors

{getToc} $title={Table of Contents}

UAE moves to zero-tolerance AML enforcement in 2026. New personal liability risks for accountants and auditors.

Federal Decree-Law No. 10 of 2025 replaces the 2018 AML law, raising fines to AED 100 million for serious corporate violations and extending liability to individual managers.
Accounting and audit firms are classified as DNFBPs and face the full range of AML, counter-terrorism financing, and counter-proliferation financing obligations.
A new "objective liability" standard means professionals are judged on what they ought to have known, not just what they knew - closing the door on wilful blindness.
Tax crimes are now recognised as predicate offences to money laundering, directly widening the compliance exposure of accountants and tax advisors.
Firms must register on the goAML portal, appoint a qualified MLRO, conduct Business-Wide Risk Assessments, and maintain records for at least ten years.
Virtual asset risks and proliferation financing must now be explicitly integrated into client risk ratings, engagement acceptance, and ongoing monitoring procedures.

A New Era for DNFBP Compliance: What the 2025 Law Means in Practice

Federal Decree-Law No. 10 of 2025 on Anti-Money Laundering and Combating the Financing of Terrorism annuls the UAE's 2018 AML framework and introduces a materially tougher regime across all regulated sectors. Accounting and audit firms fall squarely within the scope as Designated Non-Financial Businesses and Professions (DNFBPs) - a category that also includes real estate brokers, legal professionals, and dealers in precious metals. The law is backed by Cabinet Resolution No. 134 of 2025, which sets out detailed executive regulations and a sharply escalated penalty structure.

The practical effect for professional services firms is significant. Regulators now have broader inspection powers, and enforcement is moving decisively away from warnings toward fines, licence suspension, and personal sanctions against managers. Firms are expected to appoint a qualified Money Laundering Reporting Officer (MLRO), conduct documented Business-Wide Risk Assessments (BWRAs), and register with the UAE Financial Intelligence Unit (FIU) via the goAML portal. These are no longer aspirational standards - they are mandatory obligations with enforcement consequences.

The Shift to Objective Liability

One of the most significant changes in the 2026 enforcement environment is the rise of what practitioners describe as "objective liability." Under this standard, accountants, auditors, and their management are judged not on what they actually knew about a client's activities, but on what they ought to have known. Wilful blindness and inadequate due diligence are no longer safe harbours.

This shift has direct implications for engagement acceptance and client risk rating. Firms cannot rely on superficial onboarding procedures. Instead, they must demonstrate that their risk assessments are thorough, documented, and proportionate to the complexity and risk profile of each client. Where a firm fails this test, enforcement can be directed at responsible individuals as well as the entity itself, according to guidance on AML penalties published by Hisab Chartered Accountants.

Personal Liability: Directors and Managers in the Firing Line

The updated framework explicitly extends sanctions to individuals in management roles. Managers and directors can now face administrative penalties, disqualification, and - in serious cases - criminal sanctions including imprisonment and fines up to AED 10 million, where they wilfully or negligently fail to implement adequate AML systems. This personal liability also applies to de facto decision-makers and advisers exercising control, not only formally appointed directors.

Board and senior management oversight of AML frameworks is now a formal obligation, not a best-practice recommendation. Revised DNFBP guidelines for 2025 and 2026 require documented roles and responsibilities, board-approved policies, and clear escalation channels from frontline staff through to the MLRO and senior leadership. Where these are absent or deficient, enforcement can be directed at the individuals responsible, as well as at the firm. A&O Shearman's 2026 white-collar crime review notes that regulators are acting more quickly and decisively, and that professional services are not exempt from scrutiny.

Tax Crimes, Virtual Assets, and Proliferation Financing

Three relatively new risk areas deserve particular attention from accountants and tax advisors. First, the 2025 DNFBP guidelines formally recognise tax crimes - including those relating to direct and indirect taxes - as predicate offences to money laundering. This means aggressive tax behaviour that crosses into illegality can trigger AML reporting obligations and expose both clients and their advisors to investigation.

Second, virtual asset risks must now be explicitly integrated into BWRAs, client acceptance procedures, and ongoing monitoring. Firms that service clients with material virtual asset exposure are expected to screen for sanctions, proliferation financing risks, and cross-border virtual asset flows. Third, the UAE's National Risk Assessment on proliferation financing - the financing of weapons of mass destruction programmes - identifies trade, logistics, and professional services as sectors with exposure. DNFBPs must factor proliferation financing into their risk assessments and align with UN Security Council resolutions and Cabinet Decision 74 of 2020 on targeted financial sanctions.

Core Compliance Obligations for 2026

For accounting and audit firms, the minimum compliance framework under the new regime includes registration on the goAML portal, timely filing of Suspicious Transaction Reports (STRs) and Suspicious Activity Reports (SARs), and ten-year record retention. Customer due diligence (CDD) - meaning the process of verifying client identity and assessing their risk profile - must be conducted at onboarding and reviewed periodically thereafter. Enhanced due diligence is required for higher-risk clients.

Firms must also conduct periodic independent testing of their AML systems and provide mandatory training tailored to their business model and risk profile. The MLRO must have sufficient seniority and independence to engage directly with regulators and the FIU. AMCA's 2026 AML Guide makes clear that regulators now expect frameworks to evolve dynamically with shifting threats and geopolitical developments - static documentation is not sufficient.

The Penalty Stakes

The financial exposure under the new law is considerable. Corporate fines can reach AED 100 million for serious violations, and fines may match or exceed the value of the criminal property involved. Administrative penalties for DNFBPs range from AED 50,000 to AED 5 million per violation, with additional measures including licence suspension, deregistration, and the appointment of external monitors.

Criminal penalties for money laundering and terrorism financing offences can reach AED 10 million, accompanied by imprisonment. Enforcement examples cited in practitioner commentary include large fines imposed on insurers, exchange houses, and brokers - illustrating that no sector, including professional services, is immune. The 2024-2027 National AML/CFT/CPF Strategy, developed in response to the UAE's FATF grey-listing in 2022, positions DNFBPs as key gatekeepers in the national financial integrity framework. For accountants and auditors, 2026 marks a clear turning point: AML compliance is now a strategic priority, and the cost of failure - both personally and institutionally - has never been higher.

What Clients are Asking their Advisors

What is objective liability under UAE AML law and how does it affect accountants?

Objective liability means that accountants and auditors are judged not only on what they knew, but on what they ought to have known. This effectively removes any tolerance for wilful blindness or inadequate due diligence, and means that weak risk assessments - even without direct knowledge of wrongdoing - can result in enforcement action.

What is the goAML portal and which UAE accounting firms must register on it?

The goAML portal is the UAE Financial Intelligence Unit's official platform for filing Suspicious Transaction Reports (STRs) and Suspicious Activity Reports (SARs). All accounting and audit firms classified as DNFBPs are required to register and use it to meet their AML reporting obligations under Federal Decree-Law No. 10 of 2025.

How do AML fines for accounting firms in the UAE compare to banks and financial institutions?

Under the 2025 law, administrative fines for DNFBP firms - including accounting and audit practices - can reach AED 5 million per violation, while the most serious corporate violations can attract penalties up to AED 100 million. Financial institutions face a similarly severe penalty regime, reflecting the UAE's intent to apply equal enforcement rigour across all regulated sectors.

Can individual managers at UAE accounting firms face criminal charges for AML failures?

Yes. Under the updated framework, managers and senior responsible individuals can face personal administrative sanctions, disqualification, and - in serious cases - criminal penalties including imprisonment and fines, particularly where they wilfully or negligently fail to implement adequate AML controls. This personal liability extends to de facto decision-makers, not just formally appointed directors.