UAE Strengthens Compliance and Enforcement Under the Know Your Customer (KYC) Digital Platform Structure

The United Arab Emirates continues to strengthen its regulatory and compliance infrastructure through the implementation of Federal Decree-Law No. 30 of 2024 regarding the Know Your Customer (KYC) Digital Platform, together with its Executive Regulations issued under Cabinet Resolution No. 55 of 2026 and the Administrative Violations and Sanctions Regulations issued under Cabinet Resolution No. 56 of 2026.

The new framework establishes a centralized digital ecosystem for the collection, management, verification, and exchange of customer due diligence information. It is designed to enhance transparency, improve regulatory oversight, strengthen anti-money laundering compliance, and promote greater efficiency in customer onboarding and verification processes across regulated sectors.

The introduction of a detailed sanctions regime further reinforces the UAE’s commitment to ensuring that entities participating in the KYC ecosystem maintain high standards of data accuracy, security, confidentiality, and compliance.

The KYC Digital Platform and Customer Data Requirements

The Executive Regulations establish the operational framework of the KYC Digital Platform and define the categories of information that may form part of a customer's KYC profile.

For individual customers, the required information may include identification details, Emirates ID information, passport information, residency details, contact information, employment information, source of income, and politically exposed person (PEP) information where applicable.

For legal entities, the platform may contain corporate information including trade licenses, constitutional documents, beneficial ownership information, senior management details, funding sources, and tax registration information.

The regulations also permit the inclusion of additional information required under anti-money laundering legislation or by the Central Bank of the UAE.

By centralizing customer due diligence information, the framework seeks to reduce duplication of compliance efforts while improving the reliability and consistency of customer verification processes.

Controls Governing the Issuance of KYC Reports

The Executive Regulations establish specific controls governing the issuance of KYC Reports.

A User may request a KYC Report only where the customer has provided the required consent. The request must contain sufficient information to identify the customer and specify the purpose for obtaining the report.

Before issuing a KYC Report, the platform operator is required to verify the customer’s consent, comply with applicable agreements entered into with Data Providers, and adhere to the controls issued by the Central Bank.

The regulations also provide a separate mechanism allowing a User to obtain a KYC Report relating to a debtor without customer consent where an appropriate order has been obtained from the judge of urgent matters.

These provisions are intended to ensure that customer information is accessed only for legitimate and authorized purposes.

Procedures for Updating and Correcting KYC Information

Recognizing that customer information may change over time, the Executive Regulations establish a formal process for correcting and updating KYC data.

Customers may request amendments to their KYC Reports where information is inaccurate, incomplete, outdated, or incorrect. Supporting documents must be provided to substantiate the requested changes.

Once a request is submitted, the platform operator may refer the matter to the relevant Data Provider for review and verification. Where an amendment is approved, the underlying KYC data must be updated and an updated KYC Report may be issued to the customer.

These procedures help maintain the integrity, accuracy, and reliability of information maintained within the KYC ecosystem.

Obligations of Data Providers

The Executive Regulations impose several obligations on Data Providers participating in the KYC framework.

Data Providers are required to verify the validity, source, accuracy, and currency of KYC information before submitting it to the platform. They must also respond to requests for corrections and updates and implement secure systems for the transmission of customer information.

In addition, Data Providers are required to comply with applicable Codes of Conduct and controls issued by the Central Bank.

These obligations are designed to ensure that the information available through the platform remains reliable and suitable for regulatory and compliance purposes.

Obligations of Platform Operators and Users

The framework also establishes extensive responsibilities for both the platform operator and Users accessing KYC Reports.

The platform operator is responsible for maintaining the KYC Platform, facilitating electronic connectivity with Data Providers and Users, conducting quality assessments, updating information when required, and ensuring that KYC Reports accurately reflect the information received from Data Providers.

Users accessing KYC Reports are required to use the information only for the approved purposes specified in their requests. They must maintain confidentiality, comply with applicable personal data protection laws, retain records for prescribed periods, and ensure secure disposal of information when it is no longer required.

The regulations also prohibit the transfer of KYC Reports or the information contained within them outside the UAE except in accordance with applicable legal requirements.

Technical Security and Data Protection Requirements

The Executive Regulations establish detailed technical requirements relating to the storage, processing, protection, and issuance of KYC information.

The framework requires the use of effective encryption technologies, access control mechanisms, monitoring systems, audit capabilities, privacy management policies, business continuity measures, and security incident response procedures.

These requirements reflect the increasing importance of cybersecurity and data protection in modern regulatory compliance frameworks.

Administrative Violations and Sanctions

Cabinet Resolution No. 56 of 2026 introduces a comprehensive schedule of administrative violations and sanctions applicable to Companies, Data Providers, and Users operating within the KYC framework.

The Central Bank is empowered to impose administrative sanctions where violations of the Decree-Law, Executive Regulations, or applicable Central Bank controls are identified.

The schedule includes penalties for a range of violations, including:

• Unauthorized disclosure of KYC data

• Failure to protect customer information

• Issuing KYC Reports without proper consent

• Misuse of KYC information

• Failure to update inaccurate information

• Failure to comply with Central Bank controls and Codes of Conduct

• Unauthorized transfer of KYC Reports outside the UAE

• Breaches of personal data protection requirements

Administrative fines generally range from AED 10,000 to AED 100,000, depending on the nature and severity of the violation.

In addition to financial penalties, the Central Bank may suspend dealings with entities found to have committed violations under the framework.

The Resolution also establishes notification procedures and a formal grievance mechanism through which affected parties may challenge administrative sanctions.

Impact on Businesses Operating in the UAE

The KYC Digital Platform framework represents a significant development for businesses operating in regulated sectors across the UAE.

Financial institutions, insurance companies, regulated businesses, government-related entities, and other organizations that collect, process, or rely on customer due diligence information will need to review their compliance processes to ensure alignment with the new requirements.

Organizations should assess their existing KYC procedures, data governance frameworks, cybersecurity measures, record retention practices, and internal compliance controls to ensure they can meet the obligations imposed under the legislation.

The introduction of a clearly defined sanctions framework also increases the importance of maintaining accurate records, implementing robust security measures, and ensuring ongoing compliance with regulatory requirements.

Conclusion

The introduction of Federal Decree-Law No. 30 of 2024 regarding the Know Your Customer Digital Platform, together with its Executive Regulations and Administrative Sanctions Framework, represents an important step in the UAE’s ongoing efforts to strengthen compliance, enhance transparency, and improve the integrity of customer due diligence processes.

By establishing clear obligations for Data Providers, Users, and platform operators, while introducing meaningful enforcement mechanisms and sanctions for non-compliance, the framework reinforces the UAE’s position as a leading jurisdiction for regulatory innovation and financial integrity.

Businesses operating within the UAE should proactively review their compliance programmes and internal governance procedures to ensure they are prepared to meet the requirements of this evolving regulatory framework.

Need assistance with UAE regulatory compliance, AML obligations, corporate governance, or data governance requirements? Malhotra Legal Consultancy can assist businesses in understanding and implementing their compliance obligations under the UAE’s evolving regulatory framework.