A Brief Guide to KYC Requirements in the UAE

Several regulatory authorities in the country are responsible for KYC requirements—similar to Türkiye, where each major sector is governed by a separate body. Four of these operate nationwide, while two oversee KYC/AML policies within specific emirates:

• The Central Bank of the UAE (CBUAE)

• The UAE Securities and Commodities Authority (SCA) 

• The General Commercial Gaming Regulatory Authority (GCGRA)

• The UAE Financial Intelligence Unit (FIU) 

• The Dubai Financial Services Authority (DFSA) 

• The Abu Dhabi Global Market Financial Services Regulatory Authority (ADGM FSRA). 

The remaining five emirates—Ajman, Fujairah, Ras Al Khaimah, Sharjah, and Umm Al Quwain—may issue their own regulations, standards, and guidelines.

Several key federal laws shape the KYC landscape in the country:

• Federal Decree-Law No. 14 of 2018 – Concerning the Central Bank and the Regulation of Financial Institutions and Activities 

• Federal Decree-Law No. 20 of 2018 – On Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organisations

• Federal Decree-Law No. 45 of 2021 – Concerning the Protection of Personal Data

Here is what these laws cover:

This law outlines licensing and operational standards for banks, finance companies, insurance firms, and other financial entities operating within the UAE. It positions the CBUAE as the primary regulator for financial institutions. The decree also introduces customer protection measures and mandates the implementation of strong risk management frameworks to address financial and operational risks.

As the UAE’s core legislation to combat money laundering and terrorism financing, this law document requires banks, financial institutions, and designated non-financial businesses—such as real estate agents—to implement KYC requirements, report suspicious activities to the UAE FIU, and keep transaction records for at least five years.

Entered into force on January 2, 2022, this is the UAE’s first comprehensive data protection law that aligns closely with global standards like the EU’s GDPR. It requires companies that collect personal data to obtain informed customer consent, implement security measures to protect this information, report breaches to the UAE Data Office and affected individuals, and appoint a Data Protection Officer if they process large volumes of sensitive data.

In 2024, Federal Decree-Law No. 30 introduced a national digital KYC platform. This law complements existing regulations by enhancing digital transformation and strengthening identity verification processes. 

The platform establishes a unified system for collecting, analyzing, and managing KYC data, primarily in the financial sector. A dedicated agency oversees the platform, which consolidates data from government bodies, financial institutions, and other relevant sources.

With customer consent, authorized users, such as banks and insurance companies, can access this KYC information to ensure they’re interacting with legitimate clients.

Let’s take a closer look at the specific regulations for UAE companies—particularly insurers, banks, and other financial institutions—to understand how the process is structured. 

The CBUAE Rulebook provides detailed guidance for regulated (i.e., licensed) entities. However, as stated in the document, the Rulebook itself has no legal effect. While it reflects the regulatory KYC framework, official sources, like the UAE Official Gazette, should be consulted for legally binding updates or amendments. 

The KYC framework in the UAE follows a standard three-tiered approach:

• Customer Identification (CID): Verifying the customer's identity using official documents.

• Customer Due Diligence (CDD): Gathering information to understand the customer's activities and assess risk.

• Enhanced Due Diligence (EDD): Applying additional scrutiny for higher-risk customers or transactions.

The level of due diligence required depends on factors such as transaction value, customer type, and risk indicators. For example, a money transfer under AED 35,000 typically requires only CID, while any transaction involving a Politically Exposed Person (PEP) triggers the full process: CID, CDD, and EDD.

KYC requirements are closely linked to the Money Laundering and Terrorist Financing (ML/FT) Risk Assessment framework, which includes customer risk as a key category. The system also takes into account counterparty risk (e.g., foreign banks, agents), product and service risk, technology-related risk, jurisdictional risk, and delivery channel risk. As a result, KYC and ML/FT compliance practices in the UAE extend beyond finance-related companies to sectors like real estate and even to some non-commercial entities that may engage in financial transactions.

This step covers standard identity verification procedures. The user must present a physical ID, such as a UAE national identity card, a passport with a valid visa, or a Gulf Cooperation Council (GCC) national ID issued by countries like Saudi Arabia. 

During the ID check, the company must collect and record the following details: full name, residential status (UAE resident or non-resident), mobile number, nationality, date of birth, ID type, and ID number. Some of this data is also included in the transaction receipt.

This step can be automated with identity verification (IDV) software such as Regula Document Reader SDK. The system authenticates the ID and extracts the necessary data from the visual inspection zone, machine-readable zone (MRZ), barcodes, and RFID chip (if available). Dynamic security features like holograms can also be checked. The software can be integrated into a web or mobile application or used on-site via a dedicated document reader.

Since most ID documents handled by UAE businesses, including domestic and GCC IDs, are electronic, they can be quickly verified through NFC technology. This process involves reading and validating the data stored on RFID chips (personal information and biometrics), and typically takes just a few seconds. NFC verification is both secure and user-friendly, which is why it’s widely adopted by regulated industries in the UAE, such as banking.

There is also a digital ID in the country called UAE Pass. It can be used for identity verification by citizens, residents, and visitors in various contexts, including banking and accessing government services. To register, users must complete document and biometric verification, either online using facial recognition or at a self-service kiosk using fingerprint scanning. 

When used for the CID process, UAE Pass replaces NFC-based ID verification. The system pulls the user’s photo and data from the MRZ, which was already verified during registration. 

Interestingly, IDV procedures for residents and citizens often differ, especially at banks in the UAE. Citizens typically complete verification online using UAE Pass or their Emirates ID, both of which are highly secure. 

In contrast, international residents presenting foreign national documents may be required to undergo more thorough on-site checks. Some banks, in particular, do not accept non-physical copies of IDs—such as scans, document photos, or PDF versions of the temporary Emirates ID—as valid forms of identification during online onboarding.

Building on CID, the Customer Due Diligence process involves creating a detailed customer risk profile. This profile contains additional information such as occupation and contact details. Each customer is also assigned a Unique Identification Number (UIN) for tracking and monitoring purposes. For example, the CDD procedure is mandatory for all prepaid card customers.

The customer's risk level is assessed based on transaction patterns, source of funds, and geographical location to determine whether EDD is required. Ongoing transaction monitoring ensures that customer activity aligns with the established risk profile.

Customer information and risk profiles must be updated and reassessed regularly, especially when there are significant changes in behavior.

Companies are also required to maintain records of all customer data, risk assessments, and monitoring activities to support regulatory audits and reviews.

EDD is the most comprehensive level of due diligence, incorporating all the above checks and adding stricter scrutiny. In this stage, the company must gain a full understanding of each transaction performed by the customer. 

Specifically, the institution is required to verify the customer’s source of funds using bank statements or other official documentation, especially for cash transactions, and to understand the purpose of the transaction, ensuring it’s legitimate and consistent with the customer’s profile.

Customers who fall under EDD are monitored more closely and thoroughly. To manage this, the bank or financial institution must collect and retain detailed information, including residential and permanent addresses, ID details, and payment method. This information must be included in a transaction receipt, which is signed by the customer and stored for future regulatory audits.

Under current KYC and AM/FT policies, many customers of banks and insurance companies in the UAE are assigned a UIN. This number serves as an additional identifier used during ongoing transactions. To prevent identity theft and fraud, it’s essential to ensure that each UIN is used only by the verified customer it was assigned to.

The CBUAE Rulebook outlines several countermeasures to achieve this goal:   

• ID document verification before processing any customer transaction.

• Issuing membership or loyalty cards to regular customers, which include basic details—a name, date of birth, nationality, UIN, etc.—and a photo. These cards must be presented and verified before a transaction is accepted.

• Using biometric systems to confirm customer identity.

The third measure can be fulfilled by integrating biometric verification into the IDV process. In this scenario, dedicated software like Regula Face SDK enables face matching by comparing a selfie to the photo from an ID document or a database of known customers. 

Additionally, biometric verification can be strengthened with liveness detection, where the software analyzes facial features to detect and reject deepfakes, on-screen images, silicone masks, and other deceptive tools used in presentation attacks.

This check is completed in seconds, adding a strong layer of security while keeping the process smooth and user-friendly for customers.

Biometric verification is also used in government services as part of CID procedures. For example, both domestic and international employees in the UAE must obtain a work permit. This fully remote process involves employers, who submit all required documents—such as IDs and photos—on a government platform on behalf of their employees.

In this case, the CID process serves two purposes: confirming the employee’s identity and the validity of their ID, and collecting the data needed to issue a work permit. The submitted photo is matched with the portrait on the ID and then checked against photo requirements for the work permit, including background color, lighting, and head positioning. Once approved, this image is used on the physical card.

• The UAE’s current regulations cover a wide range of checks and apply to nearly every industry involved in financial transactions. 

• Most KYC procedures can now be performed online, which supports the country’s move toward a centralized digital KYC platform.  

• Document authentication and biometric verification remain central to the KYC framework, alongside risk assessment and transaction monitoring.

• Identity verification isn’t limited to domestic IDs or standard travel documents. Less common forms, such as seafarers’ IDs, can also be valid for certain operations. To verify documents from non-residents accurately, a large and diverse template database is essential. Naturally, the IDV solution must support Arabic—the native language across the region—in all its variations.

Choose Regula. With proven technology and successful collaborations with UAE-based companies, we deliver fully compliant solutions for both online and on-site identity and biometric verification. What’s more, Regula’s ID template database now includes over 15,000 IDs from 251 countries and territories.

Book a call with our team to discuss how we can support your KYC needs in the UAE.