KYB Compliance UAE Guidelines

When the Financial Action Task Force (FATF) removed the UAE from its grey list in February 2024, the move signalled the end of a two-year sprint of regulatory reform. It did not signal the end of scrutiny. Regulators issued over AED 380 million in AML fines in the first half of 2025 alone, including licence revocations and personal sanctions against senior compliance officers.

For banks, fintechs, payment platforms, crypto exchanges, and designated non-financial businesses and professions (DNFBPs) operating in or entering the UAE, Know Your Business (KYB) compliance now sits at the centre of this environment. Getting it right is not optional, and the cost of falling short is no longer theoretical. This guide covers the current framework, the obligations it creates, and what regulated businesses should have in place.

What Is KYB Compliance in the UAE?

Know Your Business UAE compliance is the process by which regulated entities verify the identity, ownership structure, and risk profile of their corporate clients and business counterparties before entering a relationship, and on an ongoing basis thereafter.

KYB is the business-facing counterpart of Know Your Customer (KYC) for individuals. Where KYC confirms who a person is, KYB establishes whether a business is legitimate, who ultimately controls it, and whether any associated persons or entities carry AML or sanctions risk. In the UAE, it is a mandatory element of Customer Due Diligence (CDD) obligations under federal AML law. UAE AML business verification applies across mainland financial institutions, DIFC-regulated firms, ADGM-licensed entities, and virtual asset service providers (VASPs) licensed under the Virtual Assets Regulatory Authority (VARA). For context on how individual identity verification requirements sit alongside corporate checks, our KYC UAE regulations guide covers the parallel framework.

The Regulatory Framework Governing KYB in the UAE

The UAE does not operate a single unified KYB regulator. Different regulators oversee different jurisdictions and sectors, though all of them derive authority from the same federal AML legislative base. A business operating in the Dubai International Financial Centre (DIFC) faces different supervisory oversight than a mainland payment firm or an Abu Dhabi-licensed wealth manager. Understanding which regulator applies, and what each one expects, is the starting point for building a compliant KYB programme.

UAE Federal Decree-Law No. 20 of 2018 established the foundational UAE Federal Decree-Law 20 AML framework that made business verification mandatory across sectors. That law was repealed and replaced by Federal Decree-Law No. 10 of 2025, in force from 14 October 2025. Key additions include proliferation financing as a distinct criminal offence, explicit AML obligations for VASPs, and strengthened risk-based due diligence requirements. The implementing regulations are contained in Cabinet Resolution No. 134 of 2025, effective from 14 December 2025.

CBUAE  Mainland Businesses

The Central Bank of the UAE (CBUAE) supervises licensed financial institutions on the mainland. Its AML and CFT (Counter-Financing of Terrorism) standards require full CDD, including KYB, for all business relationships. The enforcement tone has been unambiguous: the CBUAE imposed AED 339 million in fines on a single day in June 2025, alongside licence revocations for exchange houses with repeated compliance failures.

DFSA – DIFC

The Dubai Financial Services Authority (DFSA) governs firms operating within the DIFC, which has its own legal system and independent courts. DFSA-regulated firms must meet KYB standards aligned with FATF recommendations, with enhanced due diligence required for higher-risk business relationships.

ADGM FSRA – Abu Dhabi

The Financial Services Regulatory Authority (FSRA) of Abu Dhabi Global Market (ADGM) applies rigorous beneficial ownership and control requirements for entities registered within ADGM. These sit independently of the mainland UBO register, with their own documentation and disclosure standards.

VARA — Virtual Assets

The Virtual Assets Regulatory Authority (VARA) licenses and oversees crypto and virtual asset businesses in Dubai, covering the mainland and most free zones outside DIFC. KYB for fintech and crypto businesses under a VARA licence is mandatory and must include full corporate verification, UBO identification, and AML screening against global watchlists.

UAE UBO Verification Requirements

Beneficial ownership is the most operationally demanding element of UAE corporate due diligence. The threshold established under Cabinet Resolution No. 58 of 2020 sits at 25%. Any natural person holding 25% or more of ownership, voting rights, or effective control of a company must be identified and verified as a UBO.

Beneficial ownership UAE regulations require that UBO records be maintained in a dedicated register, updated whenever the ownership structure changes, and made available to the UAE Financial Intelligence Unit (FIU) within 30 days of a request.

The obligation extends down the ownership chain. When a corporate shareholder holds 25% or more, the regulated entity must trace through to the natural person at the top. Layered holding structures do not dissolve the obligation. They extend it.

Free zone entities in DIFC and ADGM are exempt from mainland UBO register requirements but must follow the dedicated UBO frameworks set by DFSA and FSRA respectively.

What Documents Are Required for KYB in the UAE?

A standard UAE corporate due diligence check draws on the following:

• Corporate registration: Trade licence, certificate of incorporation, and memorandum and articles of association
• Ownership structure: Shareholder register confirming ownership percentages down to the 25% UBO threshold
• Directors and signatories: Government-issued identification and proof of authority for all authorised signatories and directors
• Business address: Ejari tenancy contract for Dubai-registered entities; Tawtheeq contract for Abu Dhabi entities
• UBO documentation: Government-issued identification and proof of address for each natural person identified as a UBO
• Financial information: Bank statements or audited accounts, particularly for higher-risk or high-value relationships

Enhanced due diligence applies when a business client comes from a higher-risk jurisdiction, has a complex or opaque ownership structure, or operates in a sector flagged in the 2024 UAE National ML/TF Risk Assessment. All KYB records must be retained for a minimum of five years and made available to the FIU within 30 days on request. Our AML regulations in the UAE guide covers the full legislative history behind these retention and reporting obligations.

Penalties for KYB Non-Compliance in the UAE

Enforcement has grown sharper since the FATF grey list exit, and the trajectory is not reversing. The CBUAE imposes non-compliance charges of between AED 50,000 and AED 500,000 per violation, calibrated by severity, duration, and compliance history.

Beyond monetary penalties, regulators have revoked licences. In 2024, 32 gold refineries had their licences suspended after inspectors found 256 AML violations, including failures to identify business counterparties and report suspicious activity. The CBUAE has also imposed personal sanctions on individual compliance officers, extending accountability beyond the institution itself.

Under Federal Decree-Law No. 10 of 2025, providing false beneficial ownership information carries imprisonment plus fines starting at AED 20,000. The introduction of proliferation financing as a distinct criminal category adds further exposure for any business that fails to screen corporate clients against the full universe of designated entities and sanctioned parties.

KYB for Fintech and Crypto Companies in the UAE

KYB fintech and crypto requirements in the UAE carry additional obligations that go beyond standard corporate onboarding. Every VARA-licensed entity must implement AML and KYC policies, appoint a Money Laundering Reporting Officer (MLRO), and complete full KYB verification on any corporate client before activating the relationship.

The FATF Travel Rule applies to all UAE-licensed VASPs: any transfer exceeding AED 3,500 requires the collection, verification, and transmission of originator and beneficiary information. KYB is therefore not a one-time onboarding check for virtual asset businesses. It feeds into transaction-level compliance for every qualifying transfer.

DIFC-regulated virtual asset firms follow the DFSA Digital Assets regime and must meet enhanced due diligence standards equivalent to those applied to traditional financial services firms. ADGM-licensed virtual asset entities must apply full UBO verification under the FSRA’s dedicated framework.

How Shufti Supports KYB Compliance in the UAE

Compliance teams handling UAE corporate onboarding work across a framework that spans federal law, free zone regulations, and sector-specific regimes simultaneously. Manual processes cannot keep pace with that complexity, and the CBUAE’s enforcement record makes the cost of falling short concrete.

Shufti’s KYB solution checks company registries, ownership records, and UBO chains across 250+ jurisdictions, including the UAE mainland and all major free zones. Business AML screening runs corporate entities and their UBOs against 3,500+ global watchlists updated every 15 minutes, keeping risk profiles current well beyond the point of onboarding. For businesses managing compliance across mainland UAE and international markets, Shufti’s UAE solutions page covers the full verification stack in one place.