EU defies FATF to keep UAE on money laundering grey list

In a stunning rebuttal to the global financial crime watchdog the FATF, the European Parliament voted on Tuesday 23 April to keep the United Arab Emirates on the EU’s list of High Risk Third Countries. This will complicate due diligence efforts for regulated entities who may no longer be able to rely solely on the FATF grey list as the single source of truth for jurisdictions at high risk of financial crime. 

When was the UAE added to the FATF grey list?

In March 2022, the UAE was added to the FATF grey list for strategic deficiencies in their anti-money laundering regulations. With tightening sanctions on Russia following its 2022 invasion of Ukraine, oligarchs flocked to Emirati shores to stash their assets in Dubai’s luxury markets. Alongside poor efforts by UAE law enforcement to crack down on money laundering and a very low prosecution record, grey listing by the FATF and EU did not come as a surprise.

What is the money laundering risk in the UAE?

Commentators were however shocked that just two years later, in March 2024, the UAE was removed from the FATF grey list despite the ongoing litany of concerns. Various reports have suggested that the FATF’s decision was politically motivated, and the UAE continues to find itself at the centre of serious scandals. In January 2024, a UN report found credible evidence that the UAE was arming paramilitary groups fighting in the Sudanese Civil War which has already killed more than 13,000 people and displaced nearly 8 million. Russian banks have been circumventing sanctions by swapping dollars for gold in UAE markets. Dubai was named the ‘El Dorado’ for gold smugglers in a recent expose highlighting the city’s role as a hub for international money laundering networks. 

Even Dubai’s international airport has been cited as a key transit route for bulk cash smuggling. A report in the Wall Street Journal identified a key cash smuggling route between Dubai and Heathrow, where London authorities are scanning for explosives, not wads of notes. Some cash couriers have flown to Dubai with 11 suitcases weighing over 200 kgs of cash. The UAE has no limits on how much cash can be brought into the country, so as long as cash smugglers can leave their country of origin undetected, once they land in the UAE they are home free.

Why has the EU kept the UAE on the grey list?

Unsurprisingly, Transparency International had lobbied to keep the UAE on the European grey list. Despite reforms by the UAE, campaigners have said it’s too early to assess their effectiveness, nor is there substantial evidence to suggest the country has improved on enforcement.

The EU’s decision complicates compliance efforts, particularly since UK legislation automatically follows the FATF’s published grey list. UK firms may find themselves under suspicion by European colleagues if they fail to consider enhanced due diligence on UAE-based transactions and clients.

What should regulated entities do now about the UAE’s money laundering risk?

Allegations of politicking at the FATF should also give cause for concern. Assessing the risk of jurisdictions should take account of the reality of the country’s money laundering risk. If the FATF is failing to do so, then firms should consider a wider analysis in their risk assessment process. Ultimately, enhanced due diligence is necessary when there is a heightened risk of money laundering. The European Union have decided the UAE continues to meet this threshold, and all businesses which are required to assess the risk of money laundering should take this into account. 

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.