Applying a risk-based approach (RBA) to AML compliance is both a best practice and a regulatory obligation for financial institutions, DNFBPs (Designated Non-Financial Businesses and Professions), and Virtual Asset Service Providers (VASPs) in the UAE. This obligation arises under Federal Decree-Law No. (10) of 2025 on Anti-Money Laundering, Combating the Financing of Terrorism and Proliferation Financing, and its Executive Regulations issued via Cabinet Resolution No. (134) of 2025.
UAE AML laws require regulated entities to continually assess and monitor customer risk profiles throughout the customer lifecycle, not only at onboarding.
That means a customer originally classified as low risk must be reassessed if circumstances change, and if their risk profile increases, proportionate steps must be taken immediately.
Why Risk Profiling Must Continue After Onboarding
Customer risk classification is not a “one-and-done” exercise. A low-risk customer at the outset may later exhibit new characteristics or behaviours that elevate them to medium or high-risk status. UAE AML frameworks mandate ongoing monitoring so that risk changes are detected, reassessed, and managed with proportionate controls, including Enhanced Due Diligence (EDD) where necessary.
Triggers for Reclassifying a Customer
- Monitoring systems should flag changes in risk indicators. Common scenarios that can cause a shift from low to medium or high risk include:
- Becoming a Politically Exposed Person (PEP): A previously low-risk individual who becomes a PEP, or is newly associated with one, presents heightened ML/FT/PF risk.
- Adverse Media or Criminal Charges: Allegations of corruption, fraud, or reputational concerns must trigger reassessment.
- Suspicious or Non-Cooperative Behaviour: Unwillingness to provide information or unexplained changes in transaction patterns.
- Unexplained Growth in Transactions or Wealth: Rapid increases without legitimate justification.
- Changes in Geographic Risk: Relocation to or activity in jurisdictions identified as high-risk by the FATF, the UAE National Risk Assessment, or directives issued by competent supervisory authorities.
- Third-Party Transaction Arrangements: Involvement of unrelated intermediaries without clear business rationale.
Steps After Reclassification
Once a customer is reclassified as medium or high risk, regulated entities must act promptly:
Enhanced Due Diligence (EDD):
- Verify source of funds and source of wealth.
- Identify and confirm beneficial ownership.
- Conduct enhanced screenings for sanctions, PEPs, and adverse media.
Senior Management Approval: Required before establishing or continuing relationships with high-risk customers.
Strengthened Transaction Monitoring: Increase frequency and depth of monitoring for unusual patterns.
Restrict or Modify Business Interactions: Limit access to certain products or services until risk is clarified.
Terminate the Relationship: If risk exceeds your entity’s appetite or the customer refuses cooperation.
File a SAR/STR via goAML of the UAE Financial Intelligence Unit (FIU) promptly: Mandatory if suspicious activity linked to ML/FT/PF is detected, with strict adherence to “no tipping off” rules.
Best Practices for Ongoing Risk Management
- Deploy automated systems for continuous screening and PEP/sanctions monitoring.
- Conduct trigger-based reviews when risk factors emerge.
- Document all risk changes, approvals, and EDD actions rigorously.
- Update AML policies and staff training to include clear escalation criteria.
FAQs
Q1: How often should customer risk profiles be reviewed?
There is no fixed interval, reviews must be proportionate to the customer’s risk profile, with higher-risk customers reviewed more frequently. Trigger events should prompt immediate reassessment.
Q2: Does relocation automatically change risk?
Not automatically but moving to or transacting in a higher-risk jurisdiction requires reassessment and potentially enhanced due diligence.
Q3: What qualifies as suspicious activity requiring an STR?
Examples include unusual transaction sizes, patterns inconsistent with stated business purpose, repeated third-party involvement without logic, or adverse media linked to ML/FT/PF indicators.
Q4: Can a customer be downgraded back to low risk?
Yes. If subsequent reviews demonstrate risk indicators have subsided and EDD findings justify downgrading. All decisions must be documented.
How Jitendra Chartered Accountants Can Help
Addressing the shift of a low-risk customer to medium or high-risk status is central to strong UAE AML compliance. Ongoing monitoring, trigger-based reassessment, thorough documentation, and proportionate responses protect your organization from exposure to financial crime.
At Jitendra Chartered Accountants, we specialize in AML compliance advisory tailored to the UAE’s regulatory framework. From risk assessment frameworks and ongoing monitoring systems to EDD workflows and GoAML reporting support, our AML consultants in the UAE helps institutions align with best practices and regulatory requirements.
Whether you are reviewing existing portfolios or enhancing your AML program, we provide practical, compliance-focused solutions that safeguard your organization and strengthen governance.