We use cookies for analytics to improve your experience. Privacy Policy
For banks and fintechs operating across GCC and France, the difference between a compliant operation and a non-compliant one is invisible from the outside — until SAMA or CBUAE makes it visible with a nine-figure fine.
CBUAE imposed AED 780 million in AML penalties in 2023–2024 — a tenfold increase from the prior biennium — while SAMA pursued personal director liability for compliance failures for the first time in Saudi regulatory history.
SAMA and CBUAE have dramatically increased enforcement activity since 2022. Fines for AML/CFT violations are now in the hundreds of millions of dirhams and riyals, and personal director liability for systemic failures is being pursued in Saudi Arabia for the first time. A single AML finding in one jurisdiction now routinely triggers supervisory scrutiny across every market where the institution holds a licence.
VARA (UAE) and DIFC's virtual assets framework are creating new licensing obligations for crypto exchanges, digital asset managers, and stablecoin issuers. Companies that were operating in regulatory grey areas before 2022 now face retroactive licensing requirements. The cost of non-compliance has shifted from regulatory ambiguity to enforcement action.
SAMA's open banking framework and CBUAE's consumer data sharing regulations are creating new liability exposure for banks and fintechs around data accuracy, consent, and breach notification. The intersection of GDPR, UAE PDPL, and Saudi PDPL creates overlapping obligations that compliance teams across jurisdictions struggle to reconcile without specialist legal architecture.
Financial institutions structuring entities across multiple GCC jurisdictions to achieve regulatory optimisation face increasing scrutiny from consolidated supervision requirements. SAMA and CBUAE are sharing information with DFSA and international regulators under AML information exchange agreements — regulatory arbitrage that was invisible five years ago is now visible to every supervisor in the group.
What's at stake
A single AML enforcement action by CBUAE can terminate correspondent banking relationships across the institution's entire network — effectively cutting off access to international payment systems.
A VARA licensing failure for a virtual asset service provider does not result in a warning — it results in enforcement action, asset freezing, and potential criminal referral under UAE Federal Decree-Law No. 46 of 2021.
Personal director liability for AML compliance failures in Saudi Arabia exposes board members to travel bans, asset freezes, and criminal prosecution — consequences that no D&O policy in the GCC market currently covers.
A data breach affecting EU-linked customer data triggers GDPR notification obligations (72 hours) simultaneously with UAE PDPL and Saudi PDPL requirements — each with different notification timelines, content requirements, and regulatory contacts.
Industry challenges
These are the issues that keep decision-makers in your industry awake at night. We hear them every week — and we know how to fix them.
CBUAE's AML enforcement process under Federal Decree-Law No. 20 of 2018 (AML/CFT Law) moves fast. The initial information request establishes the scope; the response sets the tone. Early strategic errors — providing incomplete information, conceding systemic issues prematurely, failing to distinguish between procedural gaps and substantive violations — compound the severity of the outcome.
AML fines averaging AED 20–50 million for institutional violations, with recent penalties reaching AED 200+ million. Personal director liability orders. Correspondent banking relationship reviews by international banks that take 6–12 months and may result in de-risking.
VARA's licensing framework requires all virtual asset service providers operating in Dubai to obtain a licence. Companies that were operating before the framework took effect were given a transition period. Companies that missed the transition deadline face enforcement action, including asset freezing orders under Article 15 of Cabinet Decision No. 111 of 2022.
Enforcement action, potential asset freeze, and operational shutdown. Licence applications filed post-deadline face enhanced scrutiny and processing times of 6–12 months. The reputational damage of a public enforcement action in the crypto market makes fundraising and partnership development nearly impossible.
A data breach affecting customers with EU residency triggers GDPR Article 33 notification (72 hours to the lead supervisory authority). The same breach triggers UAE PDPL notification requirements and Saudi PDPL obligations if Saudi resident data is affected. Each regulator requires different information, different formats, and different timelines. A notification that satisfies one may be incomplete for another.
GDPR fines up to 4% of global annual turnover. UAE PDPL penalties up to AED 5 million per violation. Saudi PDPL penalties up to SAR 5 million. The aggregate exposure across three regulatory regimes can exceed the insurance coverage of most GCC-based financial institutions.
Your financial group holds licences in Saudi Arabia (SAMA), DIFC (DFSA), and Abu Dhabi (ADGM FSRA). SAMA's consolidated supervision review concluded that the group structure channels higher-risk activities through the least restrictive regulatory environment. SAMA has requested a restructuring plan within 90 days.
Group restructuring costs of SAR 10–30 million. Client migration between entities during restructuring. Risk of SAMA licence conditions being tightened. The 90-day timeline does not accommodate the DFSA and ADGM regulatory change processes required to implement the restructuring, creating a compliance gap.
Don't let these problems compound.
Let's solve them together.
We manage licensing and ongoing compliance across SAMA, CBUAE, DFSA, ADGM FSRA, and French ACPR/AMF. Our work covers regulatory business plan preparation, capital adequacy calculations under Basel III/CRD frameworks, fit-and-proper assessments, outsourcing arrangements, IT systems documentation, and ongoing supervisory reporting. We advise on the specific requirements for banking, insurance, investment management, and payment services licences in each jurisdiction.
We design and implement anti-money laundering programmes that satisfy multiple regulators simultaneously: enterprise-wide risk assessments using FATF methodology, customer due diligence and enhanced due diligence procedures, beneficial ownership identification, PEP screening, transaction monitoring, suspicious activity reporting, and sanctions screening against OFAC SDN, EU Consolidated List, and UN Security Council lists. We prepare institutions for regulatory examinations and represent them in enforcement proceedings.
We advise on VARA licensing in Dubai, DIFC virtual asset framework compliance, ADGM digital asset regulation, and the interaction between UAE virtual asset rules and international frameworks (MiCA in Europe, MAS in Singapore). Our work covers exchange licensing, custody arrangements, stablecoin regulatory classification, and the specific AML/CFT requirements applicable to virtual asset service providers.
We represent financial institutions in loan enforcement proceedings, guarantee disputes, regulatory investigations, and enforcement actions. Our enforcement defence practice covers responses to supervisory letters, formal investigation management, settlement negotiations (including the specific discount regimes of DFSA, ACPR, and AMF), contested proceedings before regulatory tribunals, and the management of parallel criminal proceedings where regulatory findings may trigger personal criminal liability.
An information request is the first step in CBUAE's enforcement process, but it is not yet a formal investigation. The critical factor is how you respond. Responses that are incomplete, inconsistent with your documented policies, or that inadvertently concede systemic issues set the tone for everything that follows. We prepare responses that are cooperative and complete while preserving the institution's position on contested issues. The response deadline is typically 30 days and extensions are rarely granted.
If you missed the VARA transition deadline, the only viable option is an immediate voluntary licence application combined with a proactive engagement strategy with VARA. Continuing to operate without a licence risks enforcement action including asset freezing and criminal referral. VARA has shown willingness to work with applicants who self-report, but enforcement against those who do not has been swift. Application processing for post-deadline applicants is currently 6–12 months.
Yes. SAMA has been conducting consolidated supervision reviews since 2023 and is actively sharing information with DFSA and ADGM under bilateral cooperation agreements. The specific risk is that SAMA concludes your group structure channels higher-risk activities to the least restrictive jurisdiction. The consequences include licence condition changes, restructuring requirements, and enhanced reporting obligations. We advise on group structuring that satisfies all three regulators' consolidated supervision expectations.
The two regimes have different legal bases for processing, different consent requirements, and different cross-border transfer mechanisms. GDPR requires Standard Contractual Clauses or adequacy decisions for transfers to the UAE (which does not have an EU adequacy finding). UAE PDPL requires that cross-border transfers comply with a 'comparable level of protection' standard. We design data architectures that satisfy both regimes through parallel processing bases, layered consent, and transfer impact assessments.
Yes. SAMA's 2023 enforcement guidance explicitly provides for personal liability of directors and senior compliance officers for systemic AML failures. Saudi Arabia's AML Law (Royal Decree M/31 of 2022) imposes criminal penalties including imprisonment for individuals who 'knowingly or negligently' facilitate money laundering through inadequate controls. The threshold for 'negligence' in this context is being tested in current proceedings and is likely to be interpreted broadly.
CBUAE proposed a AED 120 million penalty against our bank. GSDA's enforcement defence team reduced the final penalty to AED 18 million and eliminated the personal director liability finding. The difference was their understanding of exactly how CBUAE's enforcement process works.
General Counsel — Regional Bank, UAE Operations
Insights
The GSDA advantage
Dual-qualified lawyers with direct experience of both European (ACPR/AMF) and Gulf (DFSA/SAMA/CBUAE) financial regulatory regimes.
AML enforcement defence capability — we have represented institutions in CBUAE and SAMA enforcement proceedings with outcomes significantly below the initially proposed penalties.
VARA and DIFC virtual asset licensing expertise for crypto exchanges, digital asset managers, and stablecoin issuers.
Trilingual team (English, French, Arabic) essential for regulatory submissions across GCC and French jurisdictions.
Integrated banking dispute resolution and regulatory defence — we handle the commercial dispute and the regulatory investigation in parallel.
Knowledge hub
Key legal terms for financial institutions