On 24 June 2026 the CBUAE fined a branch of a foreign bank AED 20 million for significant, repeated failures in its anti-money-laundering, counter-terrorism-financing and sanctions framework, found on examination. That much is routine, in a year where the regulator issued over AED 370 million in such fines. The part worth attention is the second line of the notice: a separate AED 300,000 penalty on the Head of Compliance and Money Laundering Reporting Officer, personally, for failing to fulfil the responsibilities of the role. The fine on the branch lands on a balance sheet. The fine on the MLRO lands on a person.
That shift is the whole story for anyone who owns a compliance function. It changes the question an examination is really asking. Not whether you have an AML policy, which everyone does, but whether you can prove the controls behind it actually operated, were tested, and were fixed when they broke. A policy describes intent. An examination now tests evidence, and increasingly attaches a name to the gap between the two.
The fine is a signal, the framework is the point
The CBUAE\u2019s AML, CFT and sanctions expectations, updated again in April 2026 for banks, exchange houses and hawala providers, have long required these controls, in line with the National AML/CFT Strategy and FATF standards. This action does not create a rule. It confirms the supervisory method: examinations that test whether controls actually work, and penalties that now reach the individual. This is a standing regime being enforced harder, not a new one.
It helps to look at the AML controls the way an examiner does, because the difference between a policy and its evidence is specific to each one. The grid below runs through the main control areas. For each, tap to see what the policy says, what the examiner asks you to prove, and who carries it when it fails.
Policy, evidence, and who is on the hook
Tap a control for what the policy says, what an examiner wants evidenced, and who carries the failure
Read down the third row of each control and the pattern is clear. The controls that expose an individual are the ones that cannot be proven by pointing at a document: that screening ran and alerts were cleared, that monitoring was tuned and tested, that findings were closed rather than repeated. Those are things a firm either has evidence of or does not, and the evidence is what an examination now turns on.
There is a sharper edge here for foreign bank branches, which this action concerned. A branch often runs on a group AML programme designed for its home regulator, and assumes that programme carries in the UAE. Supervisors take a different view: the controls have to operate against the CBUAE’s expectations locally, and the branch has to evidence that they did, on UAE customers and UAE transactions. A global framework that looks strong on paper is worth little in an examination if the local operation of it cannot be shown. That is precisely the gap an evidence layer closes.
What an evidence layer actually holds
The firms that come through examinations well are rarely the ones with the thickest policies. They are the ones that can produce, quickly, the evidence that each control operated. That is a software job, and a specific one, distinct from the AML tools that do the detecting. It sits above your AML and CFT platform and your transaction monitoring, and holds the proof that they were run, tuned and overseen. None of it is exotic technology. It is the disciplined capture of what the firm already does, turned into a record that survives an examination and names the owner of each part.
Control register and ownership
Every AML and sanctions control mapped to an owner, a frequency and a test, so the firm can show who owns each control and that it operates, rather than only that a policy exists.
Testing and tuning evidence
Screening and monitoring tuning, testing and alert-handling captured as an evidence trail, so the firm can show the controls were tested and worked, which is what an examiner asks.
Findings and remediation tracking
Examination findings and internal issues tracked to closure with owners and dates, so prior gaps are evidenced as remediated rather than quietly repeated into the next cycle.
Attestation and board MI
MLRO attestations and board reporting packs produced from the record, so senior oversight is evidenced and the individual accountability the regime now enforces is supported.
| Control area | Policy-led | Evidence-led |
|---|---|---|
| Sanctions screening | Documented policy and lists | Proof each alert was cleared and recorded |
| Transaction monitoring | A system is in place | Tuning and testing evidenced, alerts worked |
| Findings | Noted in a report | Tracked to closure with owners and dates |
| Oversight | The board is informed | Board MI and MLRO attestation on the record |
| An examination | Produces a policy binder | Produces proof the control operated |
A written policy tells an examiner what the firm intended. The evidence tells them what actually happened. This action fined the gap between the two, and it put an individual\u2019s name on it.
A clear word on what we build. We build software. We are not a compliance consultancy, a regulated firm, or a legal adviser, and we do not run your AML programme, screen your customers, decide whether a control is adequate, or represent you to the CBUAE. Those are matters for your compliance function and its qualified advisers. What we build is the layer that holds the evidence: the control register, the testing and remediation record, the attestations and the board MI, so the firm can show its controls operate. The programme and the judgement stay with the firm.
Questions firms are asking
The CBUAE fined a branch of a foreign bank AED 20 million after examinations found significant, repeated failures in its AML, CFT and sanctions framework, and separately fined the Head of Compliance and MLRO AED 300,000 for failing to fulfil the responsibilities of the role. It was announced on 24 June 2026. The firm was not named publicly. The authoritative text is the CBUAE\u2019s own notice.
No. The CBUAE\u2019s AML, CFT and sanctions framework is long-standing and was updated again in April 2026, in line with the National AML/CFT Strategy and FATF standards. This action does not introduce a new rule. It signals how the existing framework is being examined and enforced, with more weight on evidence that controls operate and on the accountability of the individuals who own them.
No. We are an independent software engineering company. We are not a compliance consultancy, a regulated or licensed firm, or a legal adviser, and we are not affiliated with or endorsed by the CBUAE. We do not run AML programmes, screen customers, decide whether a control is adequate, or represent firms to the regulator. We build the software that holds the evidence a firm\u2019s controls operate. For the obligations themselves, rely on the CBUAE framework and take qualified legal and compliance advice.
No. Your AML platform, transaction monitoring and sanctions screening do the detecting, and where they work they stay. This is the evidence and assurance layer above them: the control register, testing and tuning records, remediation tracking, attestations and board MI. It shows that the detecting controls were run, tuned and overseen, which is the part an examination tests. Integration with what you already run is scoped before any build.
When the penalty can land on the MLRO personally, the individual needs to be able to show they oversaw the controls, not just that the firm had policies. That means a record of attestations, of findings raised and closed, and of the management information the board actually saw. A system that produces that record turns personal accountability from an exposure into something an individual can evidence they discharged.
It is the same shift, in a different regime. Just as AML supervision now tests evidence and names individuals, DIFC conduct supervision has turned to whether firms can evidence controls like personal account dealing. The common thread is that regulators across the UAE are moving from asking whether a policy exists to asking a firm, and increasingly a named individual, to prove the control operated.
The AED 20 million will be absorbed. The AED 300,000 on a named individual is the part that changes behaviour, because it moves the risk from the balance sheet to a person\u2019s record. A thicker policy is no defence against it. What answers the examiner is evidence: that each control has an owner, that it was tested, that findings were closed, and that someone with their name on it can show all of that on the day they ask. That evidence is buildable, and it is ordinary software work done against a serious and now personal regulatory expectation.
References to the CBUAE, its AML, CFT and sanctions framework, the National AML/CFT Strategy, the FATF, and the June 2026 enforcement action are descriptive of publicly available frameworks and publications as reported at the time of writing. Figures, including the AED 20 million and AED 300,000 penalties and the reported AED 370 million of AML/CFT fines across 2025, are drawn from public reporting and official announcements, are point-in-time, and represent no specific named firm, which was not publicly identified. BY BANKS is an independent software engineering company; we design and build software and hand it over. We are not a compliance consultancy, a regulated or licensed firm, a legal adviser, or affiliated with or endorsed by the CBUAE or any authority. On any engagement, the firm owns its AML, compliance, and regulatory decisions and responsibility for their implications. This article is not legal, compliance, or regulatory advice; readers should obtain qualified advice for their specific circumstances and rely on the CBUAE framework for current requirements. Public sources used in this piece are listed on our Sources and Data page.
Ready to Build Something?
If this resonated, let's talk about how we can apply these ideas to your business.
Start a Conversation