Financial institutions (FIs) designated non-financial businesses and professions (DNFBPs), and virtual asset service providers (VASPs) operating in the UAE face increasing scrutiny to combat not only money laundering and terrorist financing (ML/FT) but also proliferation financing (PF).
Proliferation financing involves the provision of funds, financial services, or economic resources that support the development, manufacture, transport, or use of weapons of mass destruction (WMD) and their delivery systems.
The UAE has strengthened its counter-proliferation financing (CPF) framework through Federal Decree Law 10 of 2025 and Cabinet Resolution 134 of 2025, making institutional PF risk assessment a mandatory component of the AML/CFT and CPF regime.
Guidance issued by the Executive Office for Control and Non-Proliferation (EOCN) emphasises the need for businesses to evaluate PF risks at both enterprise-wide and customer levels.
This blog explores the key elements of proliferation financing institutional risk assessment, helping UAE-regulated entities understand and implement effective controls.
What is Proliferation Financing Risk Assessment?
Proliferation financing risk assessment is the documented, risk-based process of identifying, analysing, and mitigating the risk that a business may inadvertently facilitate the financing of WMD programmes. It requires organisations to examine their exposure across customers, geographies, products, services, delivery channels, and transactions, and then apply proportionate CPF measures.
Unlike traditional AML/CFT assessments, which must now be read together with CPF requirements under UAE law, PF risk assessment focuses on dual-use goods, sanctioned jurisdictions, and complex supply chains that could support nuclear, chemical, or biological weapons activities. The EOCN’s dedicated guidance for FIs, DNFBPs, and VASPs provides a clear methodology to integrate PF considerations into existing compliance programmes.
Why Proliferation Financing Risk Assessment Matters in the UAE
Failing to identify PF vulnerabilities can expose businesses to severe consequences, including hefty regulatory penalties, international sanctions, reputational damage, and loss of customer trust. The UAE, as an active FATF member, is committed to robust detection, prevention, and mitigation of PF risks.
A well-conducted institutional risk assessment enables organisations to:
- Comply with regulatory requirements issuedby the Central Bank of the UAE (CBUAE), Securities and Commodities Authority (SCA), and Virtual Assets Regulatory Authority (VARA).
- Strengthen overall AML/CFT and CPF frameworks.
- Protect the integrity of the UAE financial system and its position as a global business hub.
Key Steps in Conducting Proliferation Financing Institutional Risk Assessment
The EOCN guidance outlines a structured four-step approach that regulated entities should follow:
- Assess Inherent Risks
Evaluate the PF exposure arising from customers, geographies, products and services, delivery channels, and cyber risks. Classify the inherent risk as low, medium, or high based on the business’s risk appetite and specific vulnerabilities.
- Evaluate the Adequacy and Effectiveness of Controls
Review existing controls for design quality and operational effectiveness. Controls are rated as effective, partially effective, or ineffective. Regular testing and updates are essential to address any gaps.
- Identify Residual Risks
Calculate residual risk by subtracting the effectiveness of controls from the inherent risk. This highlights areas where additional mitigation is required.
- Perform Ongoing Risk Assessment
Monitor for new or emerging risks and update the assessment periodically. Changes in customer profiles, products, or geopolitical developments must trigger a fresh review.
Key Risk Factors to Consider
A documented PF risk framework must be proportionate to the nature, size, and complexity of the business. The primary risk categories include:
Geographic Risk: Exposure to high-risk or sanctioned jurisdictions such as North Korea and Iran, including indirect routing through third countries. Businesses must assess both their operational locations and target markets.
Customer Risk: Arises from sanctions exposure, ownership by sanctioned persons, involvement in proliferation-sensitive goods, or geographic ties. Customer due diligence (CDD) and screening against targeted financial sanctions (TFS) lists are critical.
Product and Service Risk: Occurs when products or services can be misused to raise, move, or disguise funds linked to WMD activities or to procure dual-use goods and technologies.
These factors must be integrated into the broader AML/CFT framework, considering proliferation financing threats (e.g., links to sanctioned entities or dual-use procurement networks), vulnerabilities (e.g., sector-specific weaknesses or virtual asset services), and consequences (e.g., enabling WMD proliferation with global security implications).
Effective Risk Mitigation Measures
Adopting a risk-based approach is fundamental. Many existing AML/CFT controls can support CPF efforts, but they must be tailored to PF-specific red flags. Key mitigation measures include:
- Enhanced KYC and CDD processes, including detailed questioning on geographies, transaction purpose, ultimate beneficial owners (UBOs), and involvement in dual-use goods.
- Comprehensive customer and connected-party screening against sanctions, watchlists, politically exposed persons (PEPs), and adverse media.
- Enhanced due diligence (EDD) for high-risk relationships, such as those involving PEPs, high-risk jurisdictions, or complex ownership structures.
- Ongoing transaction monitoring and periodic customer reviews to detect changes in risk profiles.
By embedding these measures, FIs, DNFBPs, and VASPs can demonstrate compliance and build a resilient CPF programme.
FAQs on Proliferation Financing Institutional Risk Assessment
1. What is the difference between proliferation financing and terrorist financing?
While both involve illicit funding, proliferation financing specifically supports the acquisition of WMD and related materials, whereas terrorist financing funds acts of terrorism. Both are addressed under the UAE’s unified AML/CFT and CPF framework.
2. Who must conduct a proliferation financing institutional risk assessment in the UAE?
All FIs, DNFBPs, and VASPs regulated under Federal Decree Law 10 of 2025 are required to perform and document PF risk assessments as part of their AML/CFT obligations.
3. How often should PF risk assessments be updated?
Assessments should be reviewed at least annually or whenever there is a material change in the business model, customer base, products, or geopolitical environment.
4. What roles do UAE AML consultants play in PF risk assessment?
UAE AML consultants provide expert guidance on developing tailored risk frameworks, conducting assessments, implementing controls, and ensuring alignment with EOCN, CBUAE, SCA, and VARA requirements.
Choose the Best AML Consultants in UAE
Proliferation financing institutional risk assessment is a regulatory necessity and a critical business safeguard for FIs, DNFBPs, and VASPs in the UAE. By integrating PF considerations into your AML/CFT framework, you can effectively identify, assess, and mitigate risks while maintaining compliance and protecting your reputation.
For expert assistance with your proliferation financing risk assessment, AML/CFT programme development, or full-spectrum UAE AML compliance solutions, choose Jitendra Chartered Accountants, your trusted UAE AML consultants. Contact our team today to ensure your business remains resilient and fully compliant.