In the UAE, KYC compliance is evidence-based.
Regulators do not assess intent — they assess documentation.
During an AML inspection, authorities typically ask one question first:
“Please provide your KYC records.”
If documentation is:
Incomplete
Outdated
Inconsistent
Not risk-based
👉 Compliance is considered failed, even if the business claims it “knows its customer.”
This makes KYC documentation the backbone of AML compliance in the UAE.
KYC documentation refers to all records that prove a business has properly identified, verified, assessed, and monitored its customers in line with UAE AML regulations.
These records must:
Be accurate
Be retrievable
Be retained securely
Match the customer risk profile
Support goAML reporting decisions
UAE AML inspections usually review KYC documents across five core categories:
Customer identification documents
Verification evidence
Beneficial ownership records
Risk assessment documentation
Ongoing monitoring & screening records
Each category is mandatory.
Businesses must collect basic identifying information for every customer at onboarding.
| Customer Type | Identification Information |
|---|---|
| Individual | Full name, nationality, DOB, address |
| UAE company | Legal name, licence number, activity |
| Foreign company | Incorporation details, jurisdiction |
| Authorized signatory | Authority & relationship proof |
Identification without documentation is not sufficient.
Verification confirms that identification information is genuine and valid.
| Customer Type | Mandatory Documents |
|---|---|
| Individual (UAE resident) | Emirates ID, Passport |
| Individual (non-resident) | Passport |
| UAE company | Trade licence, MOA |
| Foreign company | Certificate of incorporation |
| Authorized signatory | POA + ID documents |
⚠️ Common inspection issue: expired documents still on file.
UBO identification is one of the highest-risk inspection areas.
Businesses must identify natural persons who:
Own directly or indirectly
Control the customer
Benefit from transactions
| UBO Requirement | Supporting Documents |
|---|---|
| Ownership structure | Shareholding chart |
| Natural person ID | Passport copy |
| Control mechanism | Shareholder agreements |
| Verification | Company filings |
| Register | Internal UBO register |
Failure to identify UBOs is treated as a serious AML breach.
Every customer must be risk-rated.
Risk assessments must:
Be documented
Be justifiable
Align with AML policy
Be updated periodically
| Risk Factor | Example Evidence |
|---|---|
| Geography | Country risk classification |
| Business activity | Nature of operations |
| Transaction type | Cash / crypto exposure |
| Ownership complexity | Shareholding layers |
| PEP involvement | Screening results |
A missing or generic risk assessment is one of the most common inspection failures.
Businesses must retain proof that screening was performed.
This includes:
Screening date
Screening source
Results
Follow-up actions (if any)
| Screening Type | Required Record |
|---|---|
| UN sanctions | Screening report |
| Terrorist lists | Search evidence |
| PEP screening | Result + risk note |
| Rescreening | Periodic logs |
Verbal confirmation or “we checked online” is not acceptable.
EDD applies to high-risk customers.
Cash transactions above AED 55,000
Virtual asset exposure
Politically Exposed Persons (PEPs)
High-risk jurisdictions
Complex ownership structures
| EDD Element | Evidence Required |
|---|---|
| Source of funds | Bank statements |
| Source of wealth | Asset declarations |
| Senior approval | Internal approval record |
| Monitoring plan | Review frequency |
| Risk rationale | Written justification |
KYC is not a one-time exercise.
Businesses must document:
Periodic KYC reviews
Updates to customer data
Rescreening activities
Risk reclassification
| Activity | Documentation |
|---|---|
| Periodic review | Review log |
| Data update | Revised KYC form |
| Risk change | Updated assessment |
| Rescreening | New screening report |
UAE AML regulations require businesses to retain KYC records:
For at least 5 years
After the end of the business relationship
In a retrievable format
Securely stored
Missing historical records often result in inspection findings, even if current files are compliant.
| Issue | Regulatory Impact |
|---|---|
| Missing KYC forms | Major finding |
| Expired IDs | Non-compliance |
| No UBO register | Serious breach |
| Generic risk rating | Adverse report |
| No screening proof | Penalty risk |
| Poor file organisation | Inspection delay |
KYC documentation provides the foundation for:
Identifying suspicious activity
Justifying goAML reports
Defending compliance decisions
Without proper documentation:
Suspicion cannot be substantiated
Reports may be challenged
Inspections escalate quickly
At Cortax Accounting & Tax Services, we help UAE businesses build and maintain complete, inspection-ready KYC documentation aligned with AML regulations.
Our support includes:
KYC documentation checklists
Customer KYC file setup
UBO registers
Risk assessment templates
Sanctions & PEP screening setup
goAML reporting support
Pre-inspection reviews
