FAQs
Your OTPs may have expired. Kindly contact [email protected] to request the OTPs to be refreshed.
In the pop-up screen, please fill in the username received from [email protected] and the Google authenticator passcode as the password.
- Click on the Login link https://services.uaefiu.gov.ae
- Navigate to SYSTEMS
- Click on GOAML
4. You will then see the below pop-up screen; where you need to use the username received from [email protected] and the 6-digit Google Authenticator Passcode as the password (note that the code changes every 30 seconds for security reasons).
5. You will be directed to the goAML homepage
6. Click the Login Button
7. Type in the username and password you created at the time of registering on goAML then click login
The goAML system provides users with the Forgot Password button next to Log In button
- Click Forgot Password button
- When the Reset Password Request window populates, enter User Name > Email > Submit
The registered email address will then receive an email with a link redirecting to the goAML portal where the Reset Password Request page will open.
After entering all the required details, the new password will be set.
Please send the below information to the goAML Support Team at [email protected] to verify your identity and retrieve your username:
- Entity name as registered on goAML
- First and last name as registered on goAML
- Registered email address.
- Emirates ID Number (no need to send a copy).
- Passport Number (no need to send a copy).
- Date of Birth.
- Org ID (This is a number assigned by the goAML to each organization after successful registration. It should be in the email approval received from goAML).
- The organization should appoint a new MLRO/Compliance Officer/Contact Person
- The organization should request the regulator's approval via email prior to registering the new Person unto the system
- New MLRO to register on SACM (1st stage)
- The regulator should approve the SACM registration for the new MLRO in order for them to obtain their own login credentials to the network
- New MLRO to register on goAML as a Person under the same Org ID (This is a number assigned by the goAML to each organization after successful registration. It should be in the email approval received from goAML)
- The regulator to inform the goAML Support team ([email protected]) to deactivate old MLRO and activate the new one via email
- After initial login, new MLRO needs to change the contact person details under My ORG details on goAML following Q8 below.
- Regulator should approve these changes on goAML.
Please refer to the 1st stage and 2nd stage registration guides.
- Register on the eservices portal (SACM) to gain access to the network
- Regulator to approve the SACM pre-registration
- New user to receive SACM username and security key
- New user to download Google Authenticator app on their mobile phone and use the secret key to set up their account
- New user to use the received username and the Google Authenticator 6-digit passcode to login to the network and access goAML
- New user to register as a Person under the same Org ID (This is a number assigned by the goAML to each organization after successful registration. It should be in the email approval received from goAML)
- Organization admin user (MLRO/Compliance Officer) to approve the new user request following the steps depicted in Section 5 of the goAML Registration Guide
In order to update the organization’s details, the user must follow these steps:
- Step 1: The user should login to the FIU’s portal using the user login credentials they acquired during the registration process
- Step 2: Once the user has logged in, they should go to the My goAML menu, then click on the My Org Details menu item
- Step 3: The user should then update entity details like the name, Incorporation number, acronym, commercial name, business activity, email, website, contact person, telephone number, address of the institution, etc.
Once the request has been submitted, the Supervisory Body/Regulator will verify this information and upon approval, the system will send an automated confirmation email to the organization.
goAML users can change their user details when required by navigating to the My goAML menu and selecting My User Details.
A registering person window will then expand; details on how to fill it out are available in the goAML Registration Guide. After submitting the request, the user should await approval from the admin user (MLRO/Compliance Officer) of the organization or if the MLRO/Compliance Officer has submitted the changes then the Supervisory Body/Regulator will carry out the approval.
System wise, yes. Delegation is possible on the goAML system. The registered reporting entity may delegate the reporting function to a third party. However, it is recommended that the delegated party should create an account on the FIU’s goAML platform (using the ‘Register as an Organization’ option) before receiving delegation of reporting responsibilities on behalf of an organization.
After logging on to the goAML portal, the MLRO/Compliance Officer should navigate to the Admin menu and Select Active Organizations from the drop-down menu. Kindly note that this feature is only available to the admin user of the organization i.e. the MRLO.
The Active Organizations page will be displayed, in which the user will need to click the Change Selected Delegating Organization. Kindly note that the delegated party should be registered and approved on the goAML platform by the Supervisory Body/Regulator before proceeding with this step. Please refer to the registration guide for details on how to register on the system as a new organization.
A Registering Organization form will then expand, in which the user will be required to specify the desired delegated party by selecting the Change Delegation checkbox.
The Change Delegation dialogue box will then populate, in which the user will be required to click OK.
Subsequently, the user should specify the Organization ID associated with the delegate party on the goAML system.
Once the request is submitted, it should then be approved by the Supervisory Body/Regulator before the delegation function is enabled.
The respective Supervisory Body/Regulator will be approving their regulated entities registrations and any changes related to its details or its MLRO/Compliance Officer’s details.
The MLRO/Compliance Officer may submit additional information pertaining to an existing report by submitting a relevant ‘AIF’ (Additional Information File) or AIFT (Additional Information File with Transactions) if the additional transactions need to be reported.
The MLRO/Compliance Officer must quote the original report reference number by referencing the report’s web reference number in the FIU reference field as shown below.
An Organization is required to select the Register as an Organization option when registering on the goAML system for the first time. Once the Supervisory Body/Regulator approves the request, the reporting entity may subsequently allow internal users within the organization to register on the system by selecting the Register as a Person option.
Yes. All reports can be printed before submission. The user will have to click the preview button before submitting the report then click the printer icon to print the report as shown in the below figures.
The goAML Message Board is a secure means of communication between the UAE FIU and goAML users. The advantage of such a communication channel is that it allows two-way communication between reporting entities and the UAE FIU.
Reporting entities are notified immediately through the Message Board if their reports are accepted or rejected. Similarly, this feature is used in the instance where the UAE FIU requires further information from a reporting entity or to send guidance notices and feedback reports.
The Message Board is not linked to any specific user but rather the organization as a whole.
The goAML is preconfigured with two roles that are defined in the system for both the organization’s admin user RE Admin (the user who registered the organization i.e. MLRO/Compliance Officer) and the organization’s user RE User (the user who registered as a person under the same Org ID). These roles have been designed with several access rights being allowed for each specific subset of users in the system. The reporting entity’s admin user can specify what roles the organization’s users are to assume as shown below:
- Navigate to Admin, then click User-Role Management
- Click on the desired user within the organization and specify their role.
Should the organization’s admin user consider that the preconfigured user access rights defined are not suitable for their users, and then they may add a new role for their organization as shown below:
- Navigate to Admin, then click Role Management
- Click on Add a new role for this entity
The system will then allow the organization’s admin to create a new role for their organization, in which they can specify their own access rights for different types of users in the organization.
An “Account” should be chosen when the report involves transactions. A “Person” or an “Entity” should be chosen if no “Account” details are available to the organization.
Examples: For cash deposit transactions, the organization should choose “Bi Party”, from “Person” to “Account”. For cash withdrawal transactions, the organization should choose “Bi Party” from “Account” to “Person”. For remittances, the organization should choose “Bi Party” from “Account” to “Account”.
In case of non-banking/non-MSBs organizations, a “Person” or an “Entity” will be more convenient to use.
Fraud is not a report type on the goAML. However, to file a fraud incident, organizations may opt to file a Suspicious Transactions Report or a Suspicious Activity Report depending on the type of fraud incident that the organization is reporting. Additionally, the most suitable Reason For Reporting should be chosen to carefully describe the red flags that should be highlighted.
MPLS connection is still required for those organizations who need to access CBSP for Payment Systems i.e. all CBUAE regulated organizations. Other than that, organizations may access the goAML using a normal internet connection through the e-services portal “Services Access Control Management” (SACM).
As per Section (7) – Article (20) item (3) of the Cabinet Decision No. (10) of 2019 Concerning the Implementing Regulation Of Decree Law No. (20) Of 2018 on Anti- Money Laundering and Combating the Financing of Terrorism and Illegal Organizations, “Appropriate arrangements for compliance management for combating the Crime, including appointing a compliance officer” and Section (8) – Article (21) lists down the expected tasks of the Compliance Officer.
No. goAML is a platform to submit suspicious reports only.
5 calendar days.
15 calendar days.
5 calendar days. Hence, please Click Revert, edit the report in the draft mode and resubmit it before the 10 days grace period allowed for resubmission. Otherwise, the organization will need to submit a fresh report.
4000 characters.
Please check the junk mailbox. If not found there, then the email may have been blocked by your entity’s mail servers. Please request your IT team to whitelist the system’s email address [email protected] and inform the goAML Support team so it can be resent via emailing [email protected]
Please register yourself as a Person under the same Org ID. Your request will be assessed by your regulator and approved or rejected accordingly.
To know how to register as a person, please refer to section 4 in the goAML Registration Guide (2nd stage registration).
You can contact your previous employer to request deactivating your old user on both stages, the eservices portal (SACM) and goAML so you can use your details to create new profiles under your new employer.
To know how to register as a person, please refer to section 4 in the goAML Registration Guide (2nd stage registration).
You can contact your previous employer to request deactivating your old user on both the eservices portal (SACM) and goAML so you can use your details to create new profiles under your new employer.
You need to register as an organization and not as a person. The "register a person button" is available for additional users only after an organization is active.
Each attachment size should not exceed 5MB. The file name should be in English, short and should not include any special characters. For report attachments, there is a max capacity of 20MB per report.
Make sure to click on the “Upload” button before submitting the form.
Please send an email to the goAML Support team on [email protected] to revoke your current request so you can re-register using the correct mobile number.
We suggest that download the Google Authenticator App on the new mobile phone and redo the setup following section 5 of the Pre-Registration Guide.
Your Supervisory Body/Regulator approves both requests for your organization.
You may follow up with the admin user of your organization who is usually the MLRO/Compliance Officer. All additional users registering under the same entity are to be approved by the entity’s admin user i.e. the MLRO/Compliance Officer.
Please check the junk mailbox. If not found there, then the emails may be blocked by your entity’s mail servers. Please request your IT team to whitelist the system’s email address [email protected] and inform the goAML Support team.
Please resubmit your request and ensure to click on browse to select the documents you would like to upload, then click on upload. You should then see a pop-up message on your screen asking for a confirmation to upload the documents. If you do not see the pop-up then you will need to adjust your web browser settings and enable pop-ups. Otherwise, the documents will not be uploaded to the system.
The MLRO/Compliance Officer is the registering person for any organization. Hence, he is registered by default once the organization is registered on goAML. This means that no Person registration is required. Person registration is only needed if the organization wishes to register additional users beside the MLRO/Compliance Officer or in case of changing the MLRO/Compliance Officer.
Please set up your Google Authenticator App as per section 4 of the pre-registration guide https://www.uaefiu.gov.ae/en/media/pdf/guidance/goAML%20Pre-registration%20Guide%20-%20Reporting%20Entities.pdf and proceed to complete your registration on goAML following the attached guide.
This could be due to a problem in the Google Authenticator 6-digit passcode. If you are using an Android phone, we advise that you time sync the Google Authenticator app. Otherwise, you may delete the app and re-install it.
Unfortunately, the service provider does not deliver SMS OTPs to international mobile numbers. Please use a UAE mobile number.
No, please re-submit your pre-registration request on SACM and attach all required documents in one PDF.
Please avoid copying the information from a document and pasting it into the system. Please type in the details yourself. Kindly ensure that the attachment is less than 5 MB in size and the file name is in English, does not contain any special characters and is short.
Unfortunately, we cannot amend the registered details we have to cancel the request so you can re-apply.
In order to safeguard the confidential information pertaining to the submitted DPMS reports, goAML system is programmed to delete reports as described below:
- Dispose of web-report information after creation and not yet submitted is 15 days.
- Dispose of web-report information after submission and rejection for invalid structure or failed validation – waiting to be reverted is 5 days.
- Dispose of web-report information after being reverted is 10 days.
- Transactions with individuals:
- For Transactions with resident individuals: Please obtain identification documents (Emirates ID or Passport) for cash transactions equal to or exceeding AED 55,000 and file a DPMSR
- For Transactions with non-resident individuals: Obtain identification documents (ID or Passport) for cash transactions equal to or exceeding AED 55,000 and file a DPMSR
- For Credit card, cheque or bank transactions with individuals exceeding AED55,000 need not be reported. However, if there is any suspicion arises, it has to be reported under STR
- For Old gold exchange (old gold/ jewelry exchanged for new jewelry: If there is no cash transaction (exceeding the threshold limit), such transactions need not to be reported
- Transactions with companies:
- B2B cash transactions equal to or exceeding AED 55,000 need to be reported in DPMSR
- Cheque and local wire transfers need not to be reported in DPMSR if it is a wire transfer from a bank within the UAE, however, if the transfer is made through an exchange house, you still have to report the transaction in goAML under DPMSR
All international wire transfers need to be reported in DPMSR
Gold to Gold trading: wholesalers accepting bullion against jewelry need not to be reported in a DPMSR.
No.
Yes.
Yes.
Yes.
Within 2 weeks of the transaction occurrence.
Yes.
For wire transfers from outside the country, identification required while reporting in DPMSR are: Trade license, Name of the entity and ID proof of the local representative.
“Making charges” is not considered a reportable transaction if there is no buying or selling of precious metals and stones involved.
No.
Yes.
No reporting is required if it’s within the same group.
Not to be reported as the transaction is between two banks locally.
If it’s an international wire transfer it has to be reported.
63.1 Transfer from one party’s AED account to other party’s AED account or
63.2 Transfer from one party’s USD account to other party’s USD account (both have accounts in the same bank in UAE) or
63.2 Transfer from one party’s USD account to other party’s USD account (both have accounts in different banks in UAE)
No reporting is required.
No.
Yes
Yes
No.
No.
No reporting is required.
A customer being a PEP is not grounds for suspicion until you are doubting their transactions/activities to be linked to a suspected money laundering activity.
That said, as per the MOE’s guidelines for DNFBPS on AML/CFT available here https://www.moec.gov.ae/documents/20121/469920/AMLCFT+Guidance+for+DNFBPs.pdf/0557c726-d8a7-ea63-594b-10110e300dc8?t=1633853458984 customer risk factors include foreign PEP. Based on that, section 6.4.1 of the above Guidelines lays down the requirement for PEPs. Please review carefully and decide the course of action accordingly.
No.
Both.
No.
No. however please be mindful of the reporting requirements for HRC and HRCA reports which can be found at the following link https://www.uaefiu.gov.ae/media/jmiddwor/1-goaml-web-report-submission-guide-v2-4-20-07-2022.pdf
No.
This is a company’s decision. You may opt to select the best option for your requirements.
If, during the establishment or course of the customer relationship, or when conducting transactions/activities on behalf of a customer or a potential customer, a reporting entity identifies transactions related to high risk countries as defined by the National Anti-Money Laundering and Combating the Financing of Terrorism and financing of Illegal Organizations Committee (A comprehensive list of High-Risk Countries can be found on the FATF website at the below links)
Then the entity should submit an HRC/HRCA to the FIU. Such reported transaction(s)/activities may only be executed three working days after reporting such to the FIU, and if the FIU does not object to conducting the transaction/activity within the set period.
The designated Compliance Officer must understand his/her obligations under the UAE AML/CTF law and Cabinet decision. Non-reporting of STRs/SARs when there are red flags or solid grounds of wrong doing, may lead to imprisonment of the compliance officer, and/or financial fines, and suspension/cancelation of the company’s trade license.
Ideally, it’s the responsibility of the Compliance Officer, however, reporting entities with high volume clients/transactions may add more users to goAML in order to raise reports (the user rights in goAML can be decided by the compliance officer).
No, if it’s the same transaction you choose either STR or SAR. The main difference between STRs and SARs is the availability of information, STRs require the information of the bank account of the client (the suspect), while SARs don’t require this information. In some scenarios you can raise both; a REAR and STR/SAR if there is a suspicion and the payment is made in cash/crypto above the AED 55,000 threshold for real estate activities.
No, however, you should maintain all information related to the suspicious transaction & clients for a minimum period of 5 years from the date of transaction.
There is no expectation that the FIU will respond to STRs/SARs. That said the FIU may send questions or a list of requirements when a report merits further due diligence. Other than that, the FIU sends a quarterly feedback report via the goAML Message Board to all reporting entities and their respective supervisory bodies.
No, the decision remains with the reporting entity (compliance officer), however, matches to the UAE and UN sanctions list require rejecting the transaction / freezing the funds if received in your accounts and report FFR/PNMR.
The relevant authorities will usually respond within 14 working days from the report date.
Please refer to Article (3) of the Cabinet Decision No. (10) of 2019 CONCERNING THE IMPLEMENTING REGULATION OF DECREE LAW NO. (20) OF 2018 ON ANTI- MONEY LAUNDERING AND COMBATING THE FINANCING OF TERRORISM AND ILLEGAL ORGANISATIONS https://www.moec.gov.ae/documents/20121/0/%D8%A7%D9%84%D9%84%D8%A7%D8%A6%D8%AD%D8%A9+%D8%A7%D9%84%D8%AA%D9%86%D9%81%D9%8A%D8%B0%D9%8A%D8%A9+%D9%84%D9%85%D9%88%D8%A7%D8%AC%D9%87%D8%A9+%D8%BA%D8%B3%D9%84+%D8%A7%D9%84%D8%A7%D9%85%D9%88%D8%A7%D9%84+%281%29.pdf/81ffaf69-6b0f-7459-5041-7a189198429b?t=1646293832367
For clarity on the definition of DNFBPs and the reporting requirements. Aside from that, other sectors and authorities that are not included in the Law/Cabinet Decision may still register and report STRs/SARs voluntarily.
Please reach out to your supervisory authority for this information.