On 6 July 2026 the Central Bank of the UAE fined a branch of a foreign bank AED 1,820,000. The breach was not a laundering network, a mispriced product, or a cross-border structure that took forensic accountants a year to unpick. The branch had failed to issue a customer a liability letter inside the mandated seven-day period.

A liability letter is ordinary paperwork. It tells a customer what they owe, and it is the document that lets them settle a loan, refinance, or move a facility to another bank. Without it, the customer's next step simply does not happen. The rule requiring banks to produce one promptly is not new. What is new is the price of missing it.

Read that fine on its own and it is a curiosity. Read it alongside the last six weeks of Gulf enforcement and it stops being a curiosity, because it is the fourth time in a row the same message has been sent by two different regulators.

AED 1.82m
CBUAE sanction for one liability letter issued outside the mandated seven-day period
AED 300k
Imposed personally on a Head of Compliance and MLRO, alongside a AED 20m penalty on the branch
1 in 5
DIFC brokerage firms found by the DFSA to have no personal account dealing policy at all

Four events, one argument

Take them in order, because the sequence matters more than any single item.

24 June. The CBUAE fined a foreign bank branch AED 20 million for significant and repeated failures across its AML, CFT and sanctions framework, discovered on examination. It then fined the branch's Head of Compliance and MLRO AED 300,000 personally, for failing to fulfil the role. Not for a decision made badly. For a function not performed.

29 June. The DFSA published its first Conduct Supervisory Pulse, a new format that reports directly from live supervisory work before any enforcement follows. Its subject was personal account dealing across the DIFC brokerage sector, and its headline finding was that roughly one in five firms had no employee personal account dealing policy at all.

2 July. DFSA amendments to the Conduct of Business and Prudential modules came into force. The client money reconciliation language is worth reading literally: an authorised firm must maintain a system to ensure that accurate reconciliations are carried out. Monthly at minimum, daily for firms providing money services. The rulebook now names the remedy.

6 July. AED 1.82 million, for a letter that arrived late.

An AML framework failure, a conduct policy gap, a reconciliation rule and a service deadline. Four different regimes, four different failure modes, and superficially nothing in common. Except that in every case the finding was about whether an obligation was operated, and in every case the answer had to be evidenced rather than asserted.

The distinction that is doing the work. None of these four institutions lacked the relevant documentation, with the possible exception of the fifth of brokerages who lacked a PAD policy outright. Banks fined for AML failures have AML policies. The branch that sent a letter late has a service standard written down somewhere. What was missing was the demonstrable operation of the thing: the control tested on schedule, the request tracked against its deadline, the reconciliation performed and signed. Policy is a claim about intent. Execution is a fact, and facts are what examiners now go looking for.

Why now

Two forces have converged, and neither is going away.

The first is that Gulf regulators have finished building their frameworks and moved into supervising them. The UAE spent years constructing an AML regime substantial enough to exit the FATF grey list in February 2024, and is now inside a fifth-round mutual evaluation that examines effectiveness rather than architecture. A regime that has been judged on whether the rules exist gets judged next on whether the rules bite. The 2025 Central Bank Law reportedly raised the ceiling on administrative fines dramatically, which tells you the direction of travel even before you look at a single case.

The second is that examination technique has changed. Supervisors who once reviewed policy suites now sample transactions, request evidence packs, and check whether the control described in chapter four of the manual left a trace in the systems. That is a different exam, and it rewards a different preparation. The DFSA making its supervisory findings public before enforcement, in the Pulse format, is the same shift wearing a friendlier face: here is what we looked at, here is what we found, you have been told.

Question The old examination The examination now
Do you have a control? Show the policy Show who owns it, when it was last tested, and what the test found
Was the deadline met? The team says yes Show the request, the clock, the escalation, the completion timestamp
Did the MLRO oversee it? The role exists and is filled Show the escalations, decisions and sign-offs, as they happened
Was the finding fixed? It was discussed and closed Show the owner, the remediation, the closure evidence, and that it stayed closed
Are reconciliations accurate? They are performed Show the system that ensures they are, and the record of each one

Every row in the right-hand column has the same shape. It asks for a record that had to exist before anybody asked for it. That is not a documentation problem, and it cannot be solved by writing a better policy. It is an operations problem, and the record either accumulated as the work happened or it did not.

Where the evidence usually lives, and why that fails

In most institutions the layer between the policies and the systems is a folder of spreadsheets and a decade of email. The detection systems are good. The transaction monitoring engine works, the screening platform screens, the ledger reconciles. The policies are good too, often written by expensive people. What sits in between, the layer that proves the good systems were operated according to the good policies, is where competence goes to hide.

The characteristic failure is rarely negligence. What goes wrong is that nobody owned the record. A control gets tested, and the result lands in the tester's inbox. A break gets investigated, and the explanation is in a reply. A liability letter request arrives in a shared mailbox, gets picked up by someone who then goes on leave, and no clock anywhere in the institution is counting the seven days. Each of those is a reasonable thing to have happened. Together they are the enforcement notice.

The phrase in the June AML notice worth rereading is significant and repeated. Repeat findings are what turn a supervisory conversation into a penalty, and a repeat finding is almost always a tracking failure rather than a competence failure. Somebody fixed it. Nobody could prove it stayed fixed.

What the evidence layer actually is

Across the four cases, the remedy is structurally identical, whatever the regime. Four capabilities, none of them exotic.

A register with owners

Every control, obligation and deadline-bearing request catalogued, with a named owner, a frequency and the evidence it is expected to produce. Accountability as a record rather than an assumption.

A clock on anything with a deadline

Seven days for a liability letter, monthly for a reconciliation, daily for money services. The obligation carries its clock from the moment it arrives, and the clock escalates before it expires rather than after.

One findings pipeline

Examination findings, audit points and self-identified issues in a single queue with owners, deadlines and closure evidence, so a finding closed once is provably closed and does not return as a repeat.

Evidence that exports

Every test, decision, escalation and sign-off timestamped and retrievable per control, per period or per request, so a supervisory question is answered by an export rather than an excavation.

Read that list against the four events and the fit is uncomfortable. The MLRO fined personally needed the escalations and sign-offs recorded as they happened. The brokerages need declarations and monitoring rather than an annual attestation. The reconciliation rule literally asks for a system. And the branch that sent a letter late needed one thing only: a clock that started when the request arrived and shouted at somebody on day five.

Where we sit in this, stated plainly

We build software. We are not a law firm, a compliance consultancy, an auditor, or an AML advisory, and nothing here interprets any rule or tells you what your obligations are. Those are questions for your compliance function and your advisers, and the enforcement notices themselves are the authority, not this page. We do not replace transaction monitoring engines, screening platforms, ledgers or core banking systems, all of which do work we have no business doing.

What we build is the layer above them: the registers, the clocks, the workflows and the evidence records that turn a documented framework into an operated and provable one. The judgements stay with the people qualified to make them. The proof that the judgement was made, on time, by the right person, is a systems problem, and it is the one we solve.

The honest scope note, because it matters. An institution with one client account, a handful of controls and a compliance function of one person does not need any of this built. A disciplined spreadsheet and an attentive human will hold. The case begins where the combinations do: multiple entities, multiple regimes, deadlines arriving continuously, and a compliance function whose ability to prove its own work depends on people remembering to file things. That is where the enforcement lands, and it is not a coincidence.

The questions worth asking

Probably, and that is the uncomfortable part. The institutions in these four cases were not fringe operators. They had policies, systems and qualified people. The gap was the connective tissue: whether the control was tested when it should have been, whether the deadline had a clock, whether the finding closed and stayed closed, whether the MLRO's oversight left a trace. Strong policies and strong systems are exactly the profile of an institution that assumes the middle layer is fine because nobody has ever asked to see it.

Sometimes, genuinely. Enterprise GRC suites exist, they are mature, and for an institution whose control environment matches what the vendor assumed, buying is the right answer and we will say so. The gap we see is the institution whose obligations are shaped by its own permissions, entity structure and regimes, and which ends up configuring a generic platform for eighteen months into an approximation of its actual process. Fitted software earns its place where the process is genuinely specific, and nowhere else.

No. We are an independent software engineering company. We do not interpret rules, rate control effectiveness, judge remediation adequacy, draft policy, or communicate with regulators on anybody's behalf. Those are the work of your compliance function, your advisers and your auditors. We design and build the platform that records what they do, hand it over, and your team operates it.

Further than most institutions are comfortable with, and the retention periods vary by regime and record type, which is a question for your advisers rather than for us. The practical point is that evidence cannot be retrofitted. A control that was not evidenced when it ran cannot be evidenced afterwards, honestly. Which means the value of building the layer is entirely a function of when you build it, and it only ever accrues forward.

There will be another enforcement notice this month, and another after that. Each will be reported as its own story, analysed by law firms within forty-eight hours, and filed. What the last six weeks suggest is that they are not separate stories. Two regulators, four regimes, and one consistent instruction: stop showing us what you intended to do. Show us what you did. The institutions that can answer that today tend to be the ones that decided, at some point before anybody asked, that the record was worth keeping properly, rather than the ones with the best-written policies. For adjacent ground, see our pages on AML compliance testing and client money reconciliation, and our sources page for the reporting behind the figures here.

We build software; we are not a law firm, compliance consultancy, auditor or AML advisory, and nothing on this page is legal or compliance advice. Descriptions of enforcement actions and rule changes summarise public regulatory announcements and reporting at the time of writing, are point-in-time, and may be affected by subsequent guidance or appeal. Institutions subject to enforcement are not named here, consistent with the regulators' own announcements. Some details, including historic penalty levels and statutory maximums, derive from secondary reporting. References to authorities and publications are descriptive and imply no affiliation or endorsement. Seek qualified advice on how any regime applies to your firm. Sources are listed on our sources and data page.