The Day My Job Description Changed: Compliance & Personal Liability

There is a date that most GRC directors in the UAE remember: Oct. 14, 2025. That was the day Federal Decree Law No. 10 of 2025 came into force, the day the UAE’s entire anti-money laundering framework was replaced and the day the legal exposure of a compliance officer changed in ways the profession here has not yet fully absorbed.

I run the GRC function at one of the leading consulting firms in the UAE; prior to this I was heading compliance in an exchange house regulated by the Central Bank of the UAE (CBUAE). I had read drafts of the new law. I had tracked the consultations. But reading something in draft and living it in practice are different experiences, and the practical reality of Decree Law 10 is something that deserves more direct conversation than it has received in compliance circles outside the Persian Gulf.

The short version: For the first time in UAE legal history, senior managers and compliance officers can face personal criminal liability, not just corporate fines, for failures that occur on their watch. The threshold for establishing knowledge is no longer actual knowledge of criminal intent. Under Article 2 of the new law, knowledge can now be inferred from objective circumstances, amounting to a “should have known” test, as many analysts have noted. 

This is not a subtle change. Rather, it is a fundamental shift in how the profession is regulated.

What the law actually says about us

Senior management is defined in the accompanying regulations as individuals vested with authority to take strategic or executive decisions affecting risk management, compliance policies and operational governance. That definition explicitly includes CEOs, general managers and board members. But it also captures by its own terms anyone in a position to directly influence compliance policies, which means, in most UAE exchange house structures, the GRC director.

The practical consequence is this: If a compliance failure occurs at an institution, and a regulator or prosecutor can demonstrate that I had access to the information, had the authority to act and failed to act, I may be facing a personal criminal matter, not just an institutional one. Fines for legal entities reach AED 100 million under the new framework. For individuals, the sanctions include prohibition orders, bans from management functions and referral for prosecution.

A CBUAE branch manager was fined AED 500,000 and permanently banned from the UAE financial sector in May 2025 before Decree Law 10 was even in force following a AED 200 million sanction against his exchange house. 

Under the new law, the tools for individual accountability are considerably sharper.

Most GRC frameworks in the UAE financial sector were built around institutional accountability. Policies, procedures, training programs, audit trails — these are all designed to demonstrate that the institution had adequate controls. The implicit assumption was that individual liability, if it arose at all, was reserved for egregious bad actors. Decree Law 10 removes that comfort.

What the new law demands, in practical terms, is something that few GRC functions currently have: a contemporaneous, documented record of individual decision-making. Keep in mind this is not just what the policy says or what the system logged but evidence that a specific, authorized individual reviewed specific information, made a specific decision and that decision was reasonable given what they knew at the time.

I have spent considerable time this year thinking about what that standard means for how I run my function. It changes the answer to questions that GRC directors often treat as administrative rather than strategic. What constitutes adequate escalation documentation? What does “made aware” mean when a suspicious pattern appears in a monitoring report that crosses my desk? At what point does not acting on information I had access to constitute the kind of willful blindness the law is designed to penalize?

These are not abstract questions. They are now questions with potential criminal answers.

Financial Services

FinCEN’s Proposed New AML Rules: What You Need to Know

by Abhishek Bhasin

June 5, 2026

The rule-making process is a culmination of years of moves toward standardizing financial institutions’ AML/CFT processes

Read moreDetails

3 things that need to change

I am not writing this to alarm. The law is well-designed and the direction of travel is right. Personal accountability is a meaningful deterrent, and it aligns the UAE with jurisdictions like the UK, where a senior manager regime has existed for more than a decade. But the operational changes the new framework demands are real, and I think three of them are being underestimated.

First, individual decision logging needs to become as rigorous as transaction logging. The audit trail that most UAE financial institutions maintain for AML decisions was designed for institutional review, not individual accountability. It records that an alert was cleared but not always who cleared it, what information they reviewed and why the decision was reasonable. Those three elements are now legally material. Any GRC director operating without that level of documentation is exposed.

Second, the definition of “senior management” needs to be tested against your actual structure, not your organizational chart. The regulations define senior management by function, not title. If your GRC director has authority over compliance policies and risk management decisions, which they typically do, the definition applies regardless of whether the title says director or manager. Institutions that have not mapped their actual decision-making authority against the legal definition are making an assumption that may not survive scrutiny.

Third, escalation processes need to create records. The most dangerous scenario under the new framework is not the compliance officer who ignores a red flag. It is the one who escalates it verbally, receives a verbal response and has nothing written down. Under Decree Law 10’s objective knowledge standard, that officer may have difficulty proving they acted appropriately. Every material escalation needs a written record, not because the law requires a specific format, but because without one, “I escalated this and was told it was fine” is a defense that cannot be demonstrated.

What this means for how we develop the profession

A broader professional development question is embedded in Decree Law 10 that the compliance community in the UAE needs to address collectively. The law has fundamentally changed the risk profile of a GRC leadership role. The people who occupy these roles and the institutions that recruit them need to adjust their understanding of what the job now entails.

In the UK and EU, the senior managers and certification regime (SMCR) has prompted significant changes in how compliance officers negotiate their terms of engagement, what indemnities they seek from their employers and how they document their own conduct over time, including a documented increase in detailed minutes of meetings and board papers driven directly by SMCR accountability concerns. The UAE market has not had that conversation in any systematic way. It needs to start.

For GRC directors currently in post, the time to build your personal documentation discipline is now, not when a regulatory examination begins. For boards and audit committees, the time to understand the individual accountability implications of the new law for your senior compliance staff is before you need that understanding in an enforcement context.