KYC in the UAE: CBUAE, FATF, and Digital Identity Regulations for 2026

On 16 April 2026, the Central Bank of the UAE issued updated anti-money laundering guidance for licensed financial institutions, the most substantial revision to UAE KYC obligations since the country exited the Financial Action Task Force (FATF) grey list in February 2024.

The guidance formally shifts identity verification from a point-in-time onboarding check to a continuous, risk-based compliance obligation, and it lands ahead of the UAE’s upcoming FATF mutual evaluation cycle.

If your compliance team hasn’t audited its KYC workflows against the new guidance, this article covers what has changed, what FATF now expects, and how digital identity tools are meeting the updated standard.

What the CBUAE KYC framework requires?

The CBUAE AML/CFT Rulebook sets the baseline for KYC obligations across all licensed financial institutions in the UAE. The April 2026 update sharpened those obligations across three areas, clarifying the risk-based thresholds for simplified versus enhanced due diligence, standardising CDD documentation retention at five years following relationship end, and establishing that identity verification must be applied throughout the customer lifecycle, not only at account opening.

Two practical requirements carry the most weight for compliance teams running digital onboarding UAE compliance programmes.

Customer identification and due diligence

The CBUAE’s customer identification and verification rules, updated through April 2026, require institutions to collect and verify full legal name, date of birth, nationality, residential address, and national identification details for each customer.

For individuals, verification must use government-issued documents. Where digital onboarding is used, the CBUAE’s guidance on digital identification for CDD confirms that Emirates ID validation through the UAE Pass application and the Federal Authority for Identity, Citizenship, Customs and Port Security qualifies as a compliant pathway. Customer due diligence (CDD) records, verification logs, and KYC risk scores must be retained for a minimum of five years after the end of a business relationship.

Ongoing monitoring and record-keeping

The April 2026 guidance is explicit on this point. Customer risk profiles must be updated on a risk-based schedule, not only when a transaction flags a concern. High-risk customers require enhanced due diligence (EDD), periodic document refresh, and a documented rationale for any simplified CDD applied to lower-risk accounts.

Compliance teams that manage AML and KYC in the UAE without automated transaction monitoring find that manual review queues scale poorly with onboarding volume, a pattern covered in a guide to AML regulations in the UAE.

The CBUAE expects real-time screening against sanctions lists, politically exposed persons (PEP) databases, and adverse media sources as part of a technology-enabled compliance stack. For compliance teams managing hundreds of active accounts, automated periodic screening is a direct expectation in the April 2026 supervisory guidance, not a discretionary addition.

How FATF compliance shapes KYC in the UAE?

The FATF removed the UAE from its grey list in February 2024 after the country achieved compliance with 15 of 40 FATF Recommendations and substantial compliance with 24 more. That exit validated three years of regulatory reform, but the obligation continued.

The UAE’s 2024–2027 National Strategy for Anti-Money Laundering and Combating the Financing of Terrorism (CFT) commits to sustained performance ahead of the next mutual evaluation cycle, and any institution found deficient in that review faces direct regulatory consequences. FATF compliance for UAE businesses now includes specific obligations for crypto businesses that did not exist in the previous framework.

UAE post-grey-list AML enforcement

FATF exit does not suspend supervisory scrutiny. The UAE National AML/CFT Council’s 2024 annual report documents enforcement actions taken across the financial system since the grey-list exit. Dubai’s Virtual Assets Regulatory Authority (VARA) issued 41 fines totalling over AED 48 million against non-compliant virtual asset businesses since the start of 2024, demonstrating that post-grey-list enforcement is accelerating rather than easing. For any licensed financial institution or designated non-financial business or profession (DNFBP), including real estate brokers, accountants, and legal firms, maintaining audit-ready KYC documentation aligned to current FATF standards is now a permanent baseline, not an occasional compliance project.

FATF compliance and UAE crypto businesses

Virtual asset service providers (VASPs) in the UAE are held to the same KYC and AML standards as conventional financial institutions under Federal Decree-Law No. 6 of 2025. The VARA rulebook mandates three-tiered customer identification, Travel Rule compliance for cross-border transfers, and real-time transaction monitoring.

FATF compliance for UAE crypto businesses requires identity verification at the wallet level for high-risk transfers, along with suspicious transaction reports (STRs) filed with the UAE Financial Intelligence Unit.

For compliance teams applying these requirements in practice, the UAE crypto regulatory landscape guide maps the full VARA obligation set. KYC API integration for UAE fintech and crypto platforms must handle both individual customer verification and wallet-level risk scoring within a single connected workflow, rather than relying on manual handoffs between separate tools.

UAE digital identity verification and KYC onboarding solutions

UAE digital identity verification gained a new infrastructure layer in late 2024, when the CBUAE launched its nationwide e-KYC platform under Federal Decree-Law No. 30 of 2024, in partnership with technology provider Norbloc AB.

The platform centralises KYC and Know Your Business (KYB) data sharing across licensed institutions, eliminates duplicate CDD checks, and integrates with UAE government identity sources. UAE digital identity platforms are now a core part of how financial institutions meet CBUAE compliance expectations at scale without multiplying manual review overhead.

UAE Pass and the national e-KYC platform

UAE Pass is a CBUAE-recognised verification pathway that allows institutions to authenticate customers against the Federal Authority’s identity database without manual document submission. For low-to-medium risk customers, UAE Pass is among the most direct KYC onboarding solutions that UAE institutions can deploy, removing physical document submission entirely from the onboarding journey.

The national e-KYC platform extends this further by enabling participating institutions to reuse verified identity data across the system, cutting per-customer CDD duplication. For fintechs building KYC API integration for UAE products, both UAE Pass and the national platform expose structured APIs that connect to document verification and AML screening layers. The digital identity platforms UAE bank and fintechs now rely on are a regulatory-grade alternative to traditional document uploads.

What to look for in KYC automation tools?

According to the April 2026 CBUAE guidance, inspection-ready KYC requires documented risk assessments per customer segment, real-time sanctions and PEP screening, biometric liveness records, and governance trails showing senior management oversight. KYC automation tools that UAE compliance teams evaluate should cover all four in a single audit log.

Standalone document capture tools that do not connect to AML screening leave a compliance gap that manual remediation cannot close at volume. The best KYC software UAE businesses evaluate in 2026 supports the full CDD-to-EDD-to-ongoing-monitoring flow through a single KYC API integration, rather than requiring teams to reconcile outputs from separate systems.

When assessing CBUAE-approved KYC providers or UAE KYC compliance services, compliance teams should request evidence of iBeta-certified biometric liveness, global sanctions database coverage, data residency options for CBUAE and DIFC regulatory requirements, and exportable five-year audit logs.

How Shufti helps UAE compliance teams meet CBUAE KYC standards?

Compliance teams at UAE-licensed institutions and VASPs face a specific pressure point. The April 2026 CBUAE guidance demands continuous monitoring, but most legacy onboarding stacks were built for one-time CDD checks. A disconnected stack, where document capture, biometric verification, and AML screening run through separate systems, produces documentation gaps that fail automated supervisory review.

Shufti’s identity verification and AML screening capabilities run inside a single API, producing a unified audit trail across the full CBUAE-required lifecycle. Verification covers Emirates ID and UAE Pass-compatible channels, with iBeta Level 1 and 2 certified biometrics for high-risk accounts and real-time screening against 100,000+ AML data sources and 3,500+ global watchlists updated every 15 minutes. Those two capabilities together address the two failure points the April 2026 guidance targets most directly. Identity verification at onboarding is one. Ongoing AML risk monitoring after account opening is the other. Shufti processes 280 million+ identity checks annually across 230+ countries, giving UAE compliance teams a vendor whose scale has been tested at production volume across the MENA region and beyond.

Request a demo to see how the platform handles UAE Pass integration and VARA-compliant onboarding on your specific transaction volumes.