Regulatory & Compliance

DFSA, ADGM & CBUAE Compliance Consultant — AML/CFT, GRC & DNFBP Advisory UAE

We build AML/CFT, conduct, and sanctions frameworks that your staff can follow and regulators can test. Built on FATF, UAE federal law, and regulator-specific requirements — for operational use, not a drawer.

Request a Compliance Gap Review Compliance as a Service
AML/CFTDFSAADGMCBUAEDNFBPSanctionsVASP
55+
CaaS Clients
350+
Companies Supported
4
Regulators We Work Across
FATF
Framework Aligned
What We Do

AML/CFT & GRC Compliance Advisory

A compliance programme that sits in a folder is not a compliance programme. We build AML/CFT, conduct, and sanctions frameworks that are designed to be used — by your staff on day one, and tested by your regulator at any point after.

Marensa Advisory works with DNFBPs, fintechs, family offices, and regulated financial institutions across the UAE, Mauritius, and Canada. Whether you are building a programme from scratch, remediating examination findings, or preparing a compliance framework for a licence application, our approach is operational: everything we produce is designed to be followed, not presented.

We also provide Compliance as a Service (CaaS) — an outsourced ongoing compliance function for regulated entities that want specialist expertise without a full in-house team.

Book an AML Assessment Common Questions
Facing a regulatory examination?
We conduct mock reviews against DFSA, ADGM, and CBUAE supervisory priorities — identifying gaps before the regulator does, and building the evidence file to close them.
Request an Examination Readiness Review
What’s Included
  • AML/CFT Business-Wide Risk Assessment (BWRA)
  • Full policy and procedure suite (AML, KYC, sanctions, TPML)
  • Customer Risk Rating (CRR) methodology and scoring matrix
  • Transaction monitoring framework and alert management
  • Sanctions screening programme design and testing
  • STR/SAR reporting procedures and UAEFIU filing support
  • DNFBP compliance programmes (goAML, MOEC requirements)
  • Compliance calendar and annual review cycle
  • Staff AML/CFT training and competency assessment
  • Regulatory examination preparation and gap analysis
  • Remediation programme design and regulator reporting
  • MLRO support and outsourced compliance function
Regulatory Frameworks

Compliance by Regulator

Each UAE financial regulator has its own rulebook, supervisory expectations, and examination approach. We work across all four and know where they differ.

DFSA
Dubai Financial Services Authority (DIFC)
DFSA-regulated entities face AML/CFT obligations under the DFSA's AML Module, conduct obligations under COB rules, and specific requirements for client categorisation, suitability, and transaction reporting. We build compliance frameworks to DFSA standard and prepare entities for DFSA supervisory examinations — including mock reviews and gap closure.
FSRA
Financial Services Regulatory Authority (ADGM)
ADGM's FSRA applies its own AML/CFT Rulebook, conduct framework, and prudential requirements. FSRA examinations are detailed and evidence-focused. We advise ADGM-regulated entities on AML/CFT programme design, conduct risk, conflicts of interest, and annual compliance reporting — and provide hands-on examination support.
CBUAE
Central Bank of the UAE (Mainland)
CBUAE-regulated entities — banks, payment institutions, finance companies, exchange houses — operate under UAE Federal AML Law, CBUAE AML/CFT Standards, and sector-specific guidance. We build frameworks aligned to CBUAE supervisory expectations, including risk-based CDD, transaction monitoring thresholds, and UAEFIU STR filing procedures.
VARA
Virtual Assets Regulatory Authority
VARA-regulated VASPs face AML/CFT requirements specifically calibrated to virtual asset risks — Travel Rule compliance, blockchain transaction monitoring (on-chain analytics), wallet screening, enhanced due diligence for high-risk counterparties, and VARA's own AML/CFT rulebook. We design VA-specific compliance frameworks and integrate blockchain analytics tooling.
DNFBP
Non-Financial Businesses & Professions (MOEC)
DNFBPs — real estate agents, gold and precious metals dealers, lawyers, accountants, and company service providers — face AML/CFT obligations under UAE federal law, supervised by the Ministry of Economy (MOEC). We build DNFBP-specific AML/CFT programmes that satisfy MOEC and CBUAE supervisory expectations, including goAML registration and STR reporting.
Mauritius
Financial Intelligence Unit & FSC (Mauritius)
Mauritius-licensed entities must comply with the Financial Intelligence and Anti-Money Laundering Act (FIAMLA) and FSC AML/CFT Guidelines. We build Mauritius compliance frameworks for GBCs, investment dealers, fund managers, and payment providers — including risk assessments, KYC policies, and FIU reporting procedures.
Scope of Work

Regulatory Areas We Work In

AML/CFT Framework Design
End-to-end AML/CFT programme design, aligned with UAE Federal Decree-Law No. 20 of 2018, FATF recommendations, and applicable regulator-specific guidance (CBUAE, DFSA, ADGM, VARA). Includes Business-Wide Risk Assessment, KYC policies, Customer Risk Rating methodology, transaction monitoring framework, and STR procedures. We build it to be used — not to satisfy a checkbox.
DNFBP Compliance Programmes
Real estate agents, gold traders, law firms, accountants, and company service providers face specific AML/CFT obligations under UAE law, supervised by MOEC. We build DNFBP-specific programmes that cover goAML registration, risk-based CDD, beneficial ownership verification, transaction monitoring, and STR reporting — and prepare businesses for MOEC inspections.
Conduct & Governance
Regulatory conduct frameworks covering conflicts of interest, market conduct, client categorisation, suitability, and disclosure obligations under DFSA, ADGM, and SCA rules. Includes board governance documentation, compliance committee terms of reference, compliance monitoring plans, and whistleblowing arrangements. Designed to satisfy examination scrutiny, not just tick the box.
Sanctions Compliance
UAE sanctions are issued by the Supreme Council for National Security (SCNS) and the Executive Office for AML/CTF (EOCN). Compliance requires both OFAC/UN/EU screening and UAE-specific list management. We design sanctions screening programmes, testing protocols, false-positive management procedures, and escalation and blocking procedures aligned to UAE regulatory expectations.
Virtual Assets & VASP Compliance
VARA-regulated VASPs and CBUAE-registered virtual asset businesses require AML/CFT frameworks specifically calibrated to VA risks — Travel Rule compliance (FATF R.16), blockchain analytics integration, wallet screening, VASP counterparty due diligence, and enhanced procedures for high-risk products and geographies.
Regulatory Remediation
Following regulatory examinations, findings, or enforcement actions, we design and manage remediation programmes: gap analysis, prioritised action plans, evidence file construction, regulatory reporting, and senior management communication. We have managed sensitive remediation engagements across CBUAE, DFSA, and ADGM — and understand how to restore regulator confidence effectively.
Outsourced Compliance
Compliance as a Service (CaaS)
55+ companies rely on Marensa Advisory for their ongoing compliance function. CaaS is a retainer-based model that gives regulated entities access to a specialist compliance team without building one in-house.
Outsourced MLRO / CMLRO function
Regulatory change monitoring and impact assessment
Annual BWRA update and policy refresh
Ongoing KYC and CDD support
Compliance monitoring and MI reporting
Staff training and competency assessment
Regulator correspondence and examination support
Board and governance reporting
Learn About CaaS →
Who CaaS is for
Fintech startups
VASP operators
Family offices
Asset managers
Payment providers
DNFBPs
Boutique brokers
Fund administrators

CaaS is suitable for entities that are regulated, or preparing to be, and need a reliable compliance function without the cost of a full in-house team.

Who This Is For

Is This the Right Service for You?

  • Regulated financial entities (DFSA, ADGM, CBUAE, VARA) needing a robust AML/CFT framework
  • DNFBPs — real estate agents, gold traders, lawyers, accountants, CSPs — with MOEC obligations
  • Fintechs and payment service providers building compliance for a licence application
  • Virtual asset businesses needing VASP-specific AML/CFT and Travel Rule compliance
  • Businesses preparing for or responding to a regulatory examination or enforcement action
  • Companies that have compliance policies but lack evidence that they are operational
  • Entities seeking an outsourced MLRO or ongoing compliance function
Speak to a Compliance Specialist
"The DFSA asked for evidence of our monitoring programme on day one of the examination. We had three months of documented alerts, escalations, and disposals ready."
Related Service

If you are applying for a financial licence, the AML/CFT framework is built as part of the dossier. Our Financial Licensing service includes this as a standard deliverable.

Financial Licensing →
Sectors We Serve

Compliance Across Every Regulated Sector

Fintech & Payments
Virtual Asset (VASP)
Asset Management
Family Offices
Real Estate (DNFBP)
Gold & Precious Metals
Law Firms
Accounting Firms
Company Service Providers
Investment Banking
Insurance
Fund Administrators
Common Questions

Regulatory & Compliance FAQs

A DFSA compliance consultant helps DIFC-regulated entities build, operate, and maintain compliance frameworks that meet DFSA requirements. This includes AML/CFT programmes aligned to the DFSA's AML Module, conduct frameworks covering client categorisation, suitability and disclosure, transaction reporting obligations, and preparation for DFSA supervisory examinations. They also provide compliance monitoring plans, staff training, and MLRO support — and can act as the outsourced MLRO/CMLRO function for smaller entities.
UAE AML/CFT obligations are set under Federal Decree-Law No. 20 of 2018 and its implementing regulations (Cabinet Decision No. 10 of 2019). Both financial institutions and DNFBPs must maintain AML/CFT programmes covering: a Business-Wide Risk Assessment, risk-based customer due diligence (CDD), transaction monitoring, sanctions screening (UAE, UN, OFAC, EU lists), suspicious transaction reporting (STRs) via goAML, record-keeping, and staff training. Regulated financial entities also face sector-specific obligations under their regulator's rulebook.
A Designated Non-Financial Business or Profession (DNFBP) is a non-bank entity that faces AML/CFT obligations due to the nature of its activities. In the UAE, this includes real estate agents and brokers, dealers in precious metals and stones, lawyers and notaries, external auditors and accountants, and company service providers. DNFBPs must register with the Ministry of Economy's goAML system, maintain a risk-based AML/CFT programme, conduct CDD on clients, report suspicious transactions, and comply with UAE sanctions requirements. Supervision is conducted by MOEC and the EOCN.
Preparation should begin well before examination notice. It involves conducting a mock review of your compliance framework against the regulator's current supervisory priorities, identifying gaps in policies and evidence, ensuring your monitoring records and management information (MI) are complete and in the expected format, and briefing key staff — including the MLRO, compliance officer, and senior management — on the examination process and likely areas of focus. Marensa Advisory provides examination readiness reviews as a standalone engagement or as part of an ongoing advisory relationship.
CaaS is an outsourced compliance model where Marensa Advisory provides ongoing compliance support — including outsourced MLRO/CMLRO functions, regulatory change monitoring, policy maintenance, staff training, and regulator liaison — on a monthly retainer basis. It suits regulated entities that do not have the scale to justify a full in-house compliance team, or that need specialist expertise beyond their existing function. 55+ companies currently use our CaaS model across the UAE, Mauritius, and Canada.
Yes. VASPs face specific AML/CFT requirements calibrated to virtual asset risks, including Travel Rule compliance (FATF Recommendation 16 — requiring originator and beneficiary information to accompany VA transfers), blockchain transaction monitoring (on-chain analytics for suspicious patterns), wallet screening against sanctions lists, enhanced due diligence for high-risk counterparties (unhosted wallets, mixer usage, high-risk jurisdictions), and VARA's own AML/CFT rulebook for Dubai-licensed VASPs. A standard financial institution AML framework is not sufficient for a VASP.
An adverse finding — whether a formal requirement, recommendation, or enforcement action — requires a documented remediation response. This involves a gap analysis against the specific findings, a prioritised action plan with committed timescales, evidence packs demonstrating closure of each finding, and a formal response to the regulator. The speed and quality of the remediation response significantly influences the regulator's subsequent disposition. Marensa Advisory manages sensitive remediation engagements and has experience in restoring regulator confidence effectively — including in enforcement and conditional licence scenarios.
Ready to build a compliance programme that holds up under scrutiny?
Whether you're building from scratch, remediating examination findings, or looking for an outsourced compliance function — we start with a gap review so you know exactly where you stand.