The UAE’s groundbreaking Federal Decree Law No. 10 of 2025, which came into effect on October 14, 2025, has fundamentally reshaped the landscape of anti-money laundering (AML) and combating the financing of terrorism (CFT) regulations within the Emirates. This comprehensive overhaul of the nation’s AML framework introduces a critical shift, extending personal criminal liability to senior managers and compliance officers for failures occurring under their purview. The law moves beyond the traditional focus on egregious bad actors, imposing a "should have known" standard that places significant weight on professional judgment and the meticulous documentation of decisions. This article delves into the practical ramifications of this new legislation, offering a direct perspective from Amarjeet Singh, who leads the GRC function at a prominent UAE consulting firm, on aspects that he believes GRC directors in the UAE may be underestimating.
The introduction of Decree Law 10 marks a pivotal moment in the UAE’s legal history, moving beyond corporate fines to encompass individual criminal liability. Prior to this legislation, accountability primarily rested with the corporate entity. However, the new law establishes that knowledge, a key element in proving culpability, can now be inferred from objective circumstances. This "should have known" test signifies a substantial departure from requiring proof of actual knowledge of criminal intent, a change that many legal analysts and compliance professionals are still grappling to fully absorb.
The Evolution of AML and CFT Regulation in the UAE
For years, the UAE has been diligently strengthening its AML and CFT regime to align with international standards and combat illicit financial flows effectively. This journey has involved continuous legislative updates and enhanced supervisory oversight. The enactment of Federal Decree Law No. 10 of 2025 represents the most significant advancement in this ongoing effort. This new law supersedes previous decrees and regulations, consolidating and enhancing the framework to address evolving threats and international best practices. The UAE’s commitment to this cause has been underscored by its active participation in global initiatives and its proactive stance in implementing robust regulatory measures. The country’s strategic location and its role as a global financial hub necessitate a vigilant approach to preventing its financial system from being exploited by criminals.
The impetus behind such stringent legislation often stems from a combination of factors, including the need to maintain the integrity of the financial system, comply with recommendations from international bodies like the Financial Action Task Force (FATF), and avoid being placed on international watchlists, which can have severe economic repercussions. The UAE has faced scrutiny in the past regarding its AML/CFT framework, prompting a concerted effort to bolster its defenses and demonstrate its unwavering commitment to global financial security. Decree Law 10 is a testament to this commitment, reflecting a mature regulatory environment that is willing to implement demanding standards to safeguard its economy.
Understanding "Senior Management" Under the New Framework
The accompanying regulations to Decree Law 10 provide a clear definition of "senior management." This definition encompasses individuals vested with the authority to make strategic or executive decisions impacting risk management, compliance policies, and operational governance. Critically, this explicitly includes Chief Executive Officers (CEOs), general managers, and board members. However, the scope extends further, capturing any individual in a position to directly influence compliance policies. Within the typical organizational structure of many UAE exchange houses and financial institutions, this definition unequivocally includes the GRC director.
The practical implication of this broad definition is profound. If a compliance failure occurs within an institution, and a regulator or prosecutor can demonstrate that a senior manager or compliance officer had access to relevant information, possessed the authority to act, and failed to do so, they may face personal criminal proceedings. This is in addition to the substantial corporate fines that can be levied under the new framework, which can reach up to AED 100 million for legal entities. For individuals, sanctions can be severe, including prohibition orders, bans from management functions, and referral for prosecution.
A stark illustration of the increasing individual accountability occurred even before the full implementation of Decree Law 10. In May 2025, a branch manager of a Central Bank of the UAE (CBUAE) regulated exchange house was fined AED 500,000 and permanently banned from the UAE financial sector following a significant AED 200 million sanction imposed on his institution. While this occurred under the previous regulatory regime, it foreshadowed the sharper tools for individual accountability that Decree Law 10 has now formalized and amplified.
The Paradigm Shift: From Institutional to Individual Accountability
Historically, AML and GRC frameworks within the UAE financial sector were predominantly structured around institutional accountability. Policies, procedures, training programs, and audit trails were meticulously maintained to demonstrate that the institution itself had implemented adequate controls and safeguards. The underlying assumption was that individual liability, if it arose, was typically reserved for individuals who engaged in clear, egregious misconduct. Decree Law 10 fundamentally disrupts this comfort zone.
The law now necessitates a level of detailed, contemporaneous documentation of individual decision-making that few GRC functions currently possess. This is not merely about recording what a policy dictates or what a system logs; it requires evidence that a specific, authorized individual reviewed specific information, made a particular decision, and that this decision was reasonable given the knowledge available at that time. This shift demands a re-evaluation of fundamental GRC processes, transforming administrative tasks into strategic imperatives with significant legal consequences.
Questions that GRC directors once considered routine are now imbued with potential criminal ramifications. For instance, what constitutes adequate documentation for an escalation? What does it truly mean to be "made aware" when a suspicious pattern emerges in a monitoring report that lands on a GRC officer’s desk? At what precise point does inaction, despite having access to information, cross the threshold into the kind of willful blindness the law is designed to penalize? These are no longer abstract theoretical debates; they are now critical questions with the potential for severe personal legal outcomes.
Three Critical Areas Underestimated by UAE GRC Directors
While the overarching intent of Decree Law 10 is widely recognized as positive and aligned with global best practices, Amarjeet Singh highlights three specific operational changes that he believes are being underestimated by GRC directors across the UAE.
1. Rigorizing Individual Decision Logging
The audit trails maintained by most UAE financial institutions for AML decisions were historically designed for institutional review and oversight, not for establishing individual accountability. While these trails might record that an alert was cleared, they often fall short of documenting who cleared it, what specific information they reviewed, and, crucially, why that decision was deemed reasonable at the time. The new law renders these three elements legally material. Without this granular level of documentation, GRC directors are operating with significant exposure. The standard now requires a personal audit trail for decisions, mirroring the rigor applied to transaction logging, ensuring that each decision point is traceable to an individual and justified by the available information.
This implies a need for enhanced technological solutions and procedural adjustments. Systems must be capable of capturing not just the action taken, but the identity of the decision-maker, the specific data points considered, and the rationale articulated at the moment of decision. This is a substantial undertaking that requires investment in both technology and training to embed this new documentation discipline across all relevant personnel.
2. Testing "Senior Management" Against Actual Structures
The legal definition of "senior management" is functional, not purely title-based. While organizational charts may delineate roles, the regulations emphasize the authority to influence compliance policies and risk management decisions. If a GRC director, regardless of their precise title, holds such authority, they fall under the purview of this definition. Institutions that rely solely on formal titles and have not meticulously mapped their actual decision-making authority against the legal definition are making a potentially perilous assumption.
This necessitates a deep dive into the actual power dynamics and decision-making processes within an organization. It requires an honest assessment of who truly wields influence over compliance and risk. Boards of directors and executive leadership must proactively engage in this mapping exercise to ensure accurate identification of individuals subject to the new accountability standards. This process might reveal that individuals in roles not traditionally considered "senior management" are, in fact, captured by the law’s broad definition, requiring a recalibration of compliance responsibilities and oversight.
3. Creating Documented Escalation Records
Perhaps the most perilous scenario under the new framework is not the outright disregard of a red flag, but rather a verbal escalation followed by a verbal resolution. In such instances, the individual who escalated the issue may struggle to demonstrate that they acted appropriately if they lack any written record. Under Decree Law 10’s objective knowledge standard, a defense of "I escalated this and was told it was fine" becomes exceedingly difficult to prove without corroborating documentation.
Every material escalation, regardless of its eventual outcome, must now be accompanied by a written record. This record should detail the nature of the escalation, the information provided, the individuals involved in the discussion, and the rationale behind the decision or guidance received. This is not about creating bureaucratic hurdles but about establishing a verifiable trail of due diligence and adherence to established protocols. Without such documentation, individuals could find themselves unable to defend their actions, even if they believed they had acted in good faith.
Broader Implications for the Profession and Market Development
Federal Decree Law No. 10 of 2025 raises a more profound question for the compliance community in the UAE: how must the profession itself evolve to meet these new demands? The law has fundamentally altered the risk profile associated with GRC leadership roles. Both individuals aspiring to these positions and the institutions that recruit them must adjust their understanding of the job’s inherent responsibilities and potential liabilities.
In jurisdictions like the UK and EU, the implementation of similar Senior Managers and Certification Regimes (SMCR) has led to significant changes in how compliance officers negotiate employment terms, the indemnities they seek from employers, and their personal documentation of conduct over time. These regimes have directly driven an increase in detailed meeting minutes and board papers, reflecting the heightened accountability concerns. The UAE market has yet to engage in this critical conversation systematically.
For current GRC directors, the imperative is clear: build personal documentation discipline immediately. Waiting for a regulatory examination to begin is a reactive approach that could prove disastrous. For boards and audit committees, a proactive understanding of the individual accountability implications of the new law for their senior compliance staff is essential. This understanding must be established before it is needed in an enforcement context, allowing for necessary adjustments to policies, procedures, and oversight mechanisms.
The UAE’s commitment to robust AML and CFT measures, as exemplified by Decree Law 10, is a positive development for the integrity of its financial system and its standing on the global stage. However, the successful implementation of this ambitious legislation hinges on a comprehensive understanding and proactive adaptation by all stakeholders. The "should have known" standard is not merely a legal technicality; it represents a fundamental redefinition of professional responsibility in the financial sector, demanding a new era of meticulous documentation and demonstrable diligence. The coming years will undoubtedly see a significant evolution in GRC practices across the UAE as institutions and individuals navigate this transformative legal landscape.
