
Learn who must complete goAML registration in the UAE, how STR filing works, what DNFBPs need to prepare, and how AML compliance affects business banking and penalties.
GoAML registration is no longer a compliance topic that only banks and financial institutions need to understand. In the UAE, certain non-financial businesses and professions are also required to register on GoAML, maintain anti-money laundering controls, and report suspicious activity when required.
This matters because many business owners still assume AML compliance does not apply to them unless they handle financial products directly. That assumption can create serious risk for companies operating in regulated sectors such as real estate, accounting, audit, company formation, corporate services, precious metals and stones, and certain legal consultancy activities.
For Designated Non-Financial Businesses and Professions, also known as DNFBPs, goAML registration is not simply an online form. It is part of a wider compliance responsibility that includes customer due diligence, beneficial owner checks, risk assessment, suspicious transaction reporting, staff awareness, recordkeeping, and ongoing monitoring.
Ignoring goAML can lead to more than administrative pressure. It can expose a business to inspections, penalties, regulatory action, banking delays, account restrictions, and reputational damage. For companies that rely on their bank accounts for payroll, supplier payments, client receipts, rent, and tax obligations, compliance gaps can quickly become operational problems.
This guide explains who must register for goAML in the UAE, how STR filing works, what business owners should prepare, and why 2026 is not the year to treat AML compliance casually.
What is GoAML in the UAE?
goAML is the reporting platform used by the UAE Financial Intelligence Unit to receive reports from regulated entities. These reports include Suspicious Transaction Reports, Suspicious Activity Reports, and other report types required under the AML framework.
For businesses under DNFBP obligations, goAML is the official channel for submitting suspicious transaction and suspicious activity reports. Registration gives the business access to the platform, but the wider requirement goes beyond access. The company must also understand when a matter should be escalated, what information should be collected, who is responsible internally, and how records should be maintained.
The purpose of goAML is not to make every business act like a bank. It is to ensure that higher-risk sectors have a structured way to identify and report suspicious activity before their services are misused for money laundering, terrorist financing, proliferation financing, sanctions evasion, or other financial crime risks.
Who must register for GoAML in the UAE?
GoAML registration applies to businesses and professions that fall within the DNFBP category. This generally includes sectors that may be exposed to high-value transactions, complex ownership structures, client funds, asset transfers, or business formation activities.
The businesses most likely to need GoAML review include real estate brokers and agents, dealers in precious metals and stones, auditors, accountants, corporate service providers, company formation firms, trust and company service providers, and certain legal professionals when they carry out specified activities for clients.
The exact obligation depends on the company’s licensed activity, actual services, customer profile, transaction type, and risk exposure. A business should not rely only on the wording of its trade license. The more important question is what the company actually does for clients and whether those activities fall within AML supervision.
This is especially relevant for corporate service providers, accounting firms, real estate companies, and businesses that help clients buy assets, structure companies, manage transactions, or deal with beneficial ownership information.
What changed under the 2025 AML framework?
The UAE’s AML framework has become more detailed and enforcement-focused. Federal Decree-Law No. 10 of 2025 and its related executive regulations place strong emphasis on risk-based compliance, beneficial ownership, suspicious transaction reporting, supervisory powers, and accountability for regulated entities.
For DNFBPs, this means AML compliance should not be limited to registration. Businesses are expected to identify, understand, manage, document, and update their risks. They must also implement customer due diligence measures, maintain records, establish internal policies and controls, and make information available to competent authorities when required.
This is important because many businesses still treat AML as a one-time document exercise. They may download a generic policy, appoint a compliance officer only on paper, and assume the matter is complete.
That approach is weak. A real AML framework should reflect the company’s actual risks, customers, services, transaction patterns, and internal decision-making process.
Step-by-step GoAML registration guide
The GoAML registration process can vary depending on the company’s activity and supervisory requirements, but the preparation usually starts before the portal submission itself.
First, the business should confirm whether it falls under the DNFBP category. This should be reviewed carefully because some companies may not realize their activities create AML obligations.
Next, the company should prepare its entity details. This may include the trade license, registered address, ownership information, manager or authorized signatory details, contact information, and relevant supporting documents.
The business should then identify the person responsible for AML reporting and compliance. Many companies refer to this person as the MLRO or compliance officer. This person should have enough authority, access, and understanding to manage escalation, reporting, and communication with relevant authorities where required.
After the internal details are prepared, the business can complete registration through the approved GoAML process. The company should make sure the information submitted is accurate and consistent with its official records.
Once registration is complete, the business should not stop there. The next step is to build or update its AML compliance framework so that the company can actually identify suspicious activity, maintain proper records, and file reports when required.
What is an STR?
An STR is a Suspicious Transaction Report. It is filed when a regulated business suspects, or has reasonable grounds to suspect, that a transaction or funds may be connected to money laundering, terrorist financing, proliferation financing, or related criminal activity.
The key point is that a business does not need to prove a crime before reporting. The obligation is triggered by suspicion or reasonable grounds for suspicion.
Examples may include unusual payment patterns, transactions that do not match the customer’s known business activity, reluctance to provide ownership information, unexplained third-party payments, inconsistent sources of funds, unusually complex structures, or behavior that appears designed to avoid normal due diligence checks.
For accountants, auditors, corporate service providers, and real estate firms, the risk may appear during onboarding, transaction review, beneficial owner checks, payment discussions, or ongoing client monitoring.
When should an STR be filed?
Suspicious transactions should be reported without delay through the approved system. This means businesses should not wait until a full internal investigation is perfect before escalating a genuine suspicion.
A company may have an internal review process, but that process should not become a reason for delay. Some businesses adopt short internal escalation timelines, such as requiring staff to report concerns to the MLRO within a few business days. That can be useful as an internal control, but the legal principle remains that suspicious activity should be reviewed and reported promptly where the threshold is met.
The business should also avoid tipping off. This means it should not inform the customer or any unauthorized person that a report has been filed or that suspicious activity is being reviewed. Tipping off can undermine an investigation and create serious compliance risk.
A strong STR process should clearly explain who receives internal alerts, how the MLRO reviews them, what information should be documented, when the report should be filed, and how confidentiality is maintained.
What should an STR include?
An STR should contain clear, useful, and relevant information. A weak report with vague statements may not help the FIU understand the concern.
The business should document the customer details, transaction information, reason for suspicion, supporting documents, timeline of events, source of funds concerns, beneficial owner details, communication records, and any red flags identified during due diligence.
For example, if a client refuses to provide beneficial ownership information, uses unrelated third parties to make payments, changes transaction instructions without a clear reason, or cannot explain the commercial purpose of a transaction, those facts should be recorded carefully.
The report should be based on what the business knows, what it observed, and why the activity appears suspicious. It should not include unnecessary assumptions or unsupported accusations.
Building a real AML compliance framework
goAML registration is only one part of AML compliance. A business also needs internal systems that show it can identify and manage risk.
A practical AML framework should include a written AML policy, customer due diligence procedures, beneficial owner records, customer risk assessment, sanctions screening, enhanced due diligence for higher-risk clients, ongoing monitoring, suspicious activity escalation, staff training, and record retention.
The policy should not be generic. It should reflect the business model, customer base, transaction types, service lines, and risk exposure. A real estate brokerage will not have the same AML risk profile as an accounting firm. A corporate service provider will not face the same issues as a precious metals dealer.
The company should also keep evidence of its process. It is not enough to say that due diligence was done. The business should be able to show customer files, UBO records, risk ratings, screening results, approval notes, staff training records, and periodic review evidence.
Enforcement reality in 2026
AML enforcement in the UAE is becoming more serious, and DNFBPs are clearly part of that focus.
Under the 2025 framework, supervisory authorities have powers to conduct desk-based and field inspections, maintain statistics on penalties, impose administrative fines, restrict activities, suspend responsible individuals, require remedial reporting, and revoke licenses in serious cases.
The law also provides for administrative fines for violations, and legal entities can face much higher exposure where principal money laundering offenses are committed by representatives, managers, or agents in the entity’s name or on its behalf.
This is why business owners should be careful when discussing penalty figures. Not every goAML mistake automatically leads to the highest penalty ceiling, but the enforcement risk is real and the consequences can become severe depending on the nature of the breach.
Banking is another practical concern. If a bank requests AML evidence and the business cannot provide goAML registration details, AML policies, customer due diligence records, beneficial owner information, or risk assessment documents, the account may face additional scrutiny. That can affect onboarding, transaction processing, account reviews, and banking relationships.
Could a business bank account be frozen or restricted?
A business bank account is not frozen automatically because a company has not registered for goAML. The risk is more specific.
If there is suspicion that funds or transactions are connected to a financial crime, the UAE AML framework allows temporary suspension of suspicious transactions and freezing of funds in certain circumstances. Banks may also take a more cautious approach when a customer cannot satisfy compliance requirements during onboarding or periodic review.
For business owners, the operational risk is clear. Weak AML compliance can create banking friction, delayed transactions, account review pressure, or difficulty proving that the company has proper controls.
This is why goAML compliance should be handled before a bank requests it. A company that has its registration, policies, records, and due diligence files ready is in a much stronger position than a business trying to prepare everything after an urgent banking request.
Common GoAML and AML compliance mistakes
Many DNFBPs make the same mistakes when dealing with AML compliance.
The first mistake is assuming goAML does not apply because the business is not a bank. This is one of the most common misunderstandings among non-financial businesses.
The second mistake is using a generic AML policy that does not reflect the company’s actual activity. A copied policy may look complete, but it will not help the business during a real compliance review if it does not match how the company operates.
Another common issue is appointing an MLRO or compliance officer without giving that person authority, training, or access to client and transaction information. A nominal appointment does not create a working compliance system.
Some companies also fail to update risk assessments. A risk assessment prepared once and left untouched may no longer reflect the company’s customer base, services, transaction values, or sector exposure.
Periodic checks are often missed as well. Customer due diligence should not be treated as an onboarding-only exercise. Businesses need ongoing monitoring, sanctions screening, and updated records when customer information changes.
What business owners should do now
The first step is to check whether your company falls under DNFBP obligations. This should be reviewed based on both the license activity and the actual services provided.
If goAML registration applies, the company should complete registration and appoint a responsible compliance person with proper authority. The business should then prepare AML policies, customer due diligence procedures, UBO records, risk assessment files, sanctions screening records, staff training documents, and suspicious transaction reporting procedures.
Companies that already registered should review whether their AML framework is still current. Registration alone does not prove full compliance.
A business should be able to answer practical questions. Who is responsible for AML compliance? How are customers risk-rated? Where are UBO records stored? How often are customers reviewed? What happens when staff identify a red flag? Who decides whether an STR should be filed? Are staff trained to avoid tipping off?
If those answers are unclear, the company’s AML process needs attention.
Get GoAML registration and AML compliance support in the UAE
GoAML registration is an important step, but it is not the full compliance picture. Businesses that fall under DNFBP obligations need a practical AML framework that supports registration, reporting, customer due diligence, beneficial owner checks, staff training, and ongoing monitoring.
If your business has not reviewed its goAML position or needs help strengthening its AML compliance process, contact AMCME today.
For full goAML registration and AML compliance support, visit us at amcme.ae




