AML Compliance & Risk Management

goAML is the UAE Financial Intelligence Unit's (FIU) official online system used by reporting entities to submit suspicious transaction and suspicious activity reports, and to manage related reporting workflows. It is also used to receive FIU messages and respond to requests for additional information when required.

goAML registration is required for businesses that fall under UAE AML obligations (often referred to as financial institutions and DNFBPs), depending on their license activity and supervisory authority. This commonly includes real estate brokers, dealers in precious metals and stones, auditors/accountants, corporate service providers, and other regulated activities. If your business handles high-value transactions or regulated financial activity, you are likely expected to maintain AML controls and reporting readiness.

In most cases, goAML setup is a two-stage process: first, registering for access through SACM (Service Access Control Manager), then completing the organization/user registration on the goAML portal. Many registrations get delayed because SACM and user access roles are not configured correctly the first time.

STR and SAR are the primary report types for submitting a new suspicion. goAML also supports additional workflows such as AIF/AIFT (to provide supplementary information linked to a previously filed STR/SAR) and FIU requests such as RFI/RFIT, among other report types depending on the case and sector. This matters because AML reporting is not always "file once and done"—follow-ups are common.

An STR (Suspicious Transaction Report) is typically used when there is a suspicious transaction involved. A SAR (Suspicious Activity Report) is generally used when there is suspicious activity or behavior that may not be tied to a specific transaction. In both cases, the goal is to report suspicion promptly and accurately through goAML when the reporting obligation is triggered.

A business should file an STR/SAR when it identifies behavior, patterns, or information that creates a reasonable suspicion of money laundering or related financial crime risk. The practical trigger is not "proving wrongdoing"—it's recognizing suspicious indicators and escalating them through the correct reporting channel without delay, based on your internal policies and risk assessment.

CDD is the process of identifying and verifying who your customer is, understanding the nature of the relationship, and assessing risk. It's required because AML compliance relies on knowing who you're dealing with and whether the relationship presents elevated risk. Without consistent CDD, transaction monitoring and suspicious reporting become unreliable.

EDD is a deeper level of due diligence applied to higher-risk customers or situations. It typically involves collecting additional information, verifying source of funds/wealth where appropriate, and applying closer ongoing monitoring. EDD is important because regulators expect a risk-based approach, not the same checks for every customer.

Sanctions screening checks whether a customer matches a sanctions list. PEP screening identifies whether a customer is a Politically Exposed Person, someone whose position can increase exposure to corruption and financial crime risk. For many regulated businesses, screening is a core control that supports risk classification and determines whether EDD or escalation is required.

SACM is the FIU access layer used to create user access credentials and authentication prerequisites needed before goAML portal usage. If SACM registration or access configuration is incomplete, teams may be unable to log in, activate roles, or complete reporting workflows on time, especially during urgent reporting situations.

DocuBay helps businesses manage AML and goAML compliance through a single platform by enabling due diligence workflows (CDD/EDD/KYC), screening (sanctions/PEP), and structured reporting readiness. Where specialist support is required, such as policy drafting, training delivery, or complex reporting scenarios, DocuBay connects you with trusted service providers while keeping your compliance workflow organized in one place.

Many AML tasks can be streamlined through technology, especially repeatable workflows such as identity checks, due diligence documentation, sanctions/PEP screening, case tracking, and compliance record management. Automation doesn't replace responsibility, but it reduces manual effort, improves consistency, and helps teams maintain better audit readiness over time.