We use cookies for analytics to improve your experience. Privacy Policy
Anti-money laundering, beneficial ownership, data protection (PDPL/GDPR), foreign investment screening, competition law, financial services licensing, sanctions compliance — across UAE, Saudi Arabia, France, and the DIFC.
Regulators in the GCC and France are not announcing their enforcement priorities and then waiting. They are auditing without notice, fining without warning, and revoking licences for violations that companies had no idea were violations. The question is not whether the regulator will look at your business — it is whether they will find what they are looking for..
The compliance programme that looks complete on paper — policies, procedures, training records — has never been tested against the actual regulatory standard. The AFA auditor does not ask whether you have a policy. The auditor asks whether the policy was applied to the specific transaction that triggered the audit.
Regulatory compliance has shifted from a periodic audit exercise to an operational constant. AML/CFT frameworks, data protection regimes, beneficial ownership obligations, competition law, and sanctions lists are all tightening simultaneously — and they are tightening at different speeds in different jurisdictions. For companies operating across multiple markets, the compliance gap is not what you know you need to do. It is the obligation in the jurisdiction you expanded into last year that your programme has not caught up with yet.
UAE Federal Decree-Law No. 20 of 2018 on AML/CFT creates criminal liability for employees who facilitate money laundering — not just the institution. DNFBPs including lawyers, real estate agents, and dealers in precious metals have specific reporting obligations under Cabinet Decision No. 10 of 2019. The employee who processes the transaction is personally liable, not just the compliance officer who failed to flag it.
UAE Cabinet Decision No. 58 of 2020 requires all UAE companies to maintain and file a register of ultimate beneficial owners with the Ministry of Economy. Failure to comply carries fines up to AED 100,000 per company, and the Ministry has been actively enforcing since 2022 — including blocking trade licence renewals and bank account operations for non-compliant entities.
Saudi PDPL (Personal Data Protection Law — Royal Decree M/19 of 2021, effective September 2023) imposes mandatory breach notification to SDAIA within 72 hours, data subject rights that must be technically implemented (not just described in a policy), and administrative sanctions up to SAR 5 million per violation. Data localisation requirements mean personal data must be stored in Saudi Arabia unless specific cross-border transfer conditions are met.
Companies established outside the EU that target EU data subjects or monitor EU residents are subject to GDPR — GCC companies with EU customers, EU employees, or EU e-commerce operations are frequently in violation without knowing it. The CNIL (France’s data protection authority) has been particularly active in enforcing GDPR against non-EU companies with a French customer base.
UAE Competition Law Federal Decree-Law No. 36 of 2023 introduced cartel prohibition with fines up to 10% of annual UAE revenue and a merger control filing threshold of AED 300 million aggregate UAE value — a threshold that captures many GCC deals that previously required no competition filing. The CRC has dawn raid powers that most companies have not prepared for.
French SAPIN II Law (Loi No. 2016-1691) requires all French companies with 500+ employees and EUR 100 million+ revenue to maintain an anti-corruption compliance programme. The AFA (Agence Française Anticorruption) conducts mandatory audits — and companies without a compliant programme face fines up to EUR 1 million and senior management sanctions including personal criminal liability for the CEO.
Related Services
The challenges you face
Every day we hear these concerns from CEOs, CFOs and general counsel across the GCC and Europe. If any of these sound familiar, you're not alone — and we can help.
A UAE company changed its shareholder structure 14 months ago — a trust was restructured, a nominee was replaced, and a new investor acquired a 30% interest. The beneficial ownership register filed with the Ministry of Economy under Cabinet Decision No. 58 of 2020 still reflects the previous structure. The Ministry’s enforcement team has selected the company for a random UBO compliance audit. The register must be updated within 15 days of any change in beneficial ownership. The company is 14 months late.
Administrative fines of up to AED 100,000 per entity. The company’s trade licence renewal is blocked pending UBO compliance. Bank account operations are restricted — the company’s relationship bank has flagged the UBO discrepancy during its own KYC refresh and placed a hold on outgoing transactions. All future corporate transactions (share transfers, mergers, new bank accounts) are blocked until the register is corrected and accepted by the Ministry.
A UAE-headquartered technology company with a French customer base discovers that the CNIL (Commission nationale de l’informatique et des libertés) has opened an investigation. The company processes personal data of EU residents through its Dubai-based servers. It has no EU representative appointed under GDPR Article 27. Its privacy notices reference only UAE PDPL. It has no data processing agreements with EU-based processors. The company assumed GDPR did not apply because it has no EU entity. The CNIL disagrees — GDPR Article 3(2) applies to any company that targets EU data subjects, regardless of where the company is established.
The CNIL issues a fine of EUR 180,000 under GDPR Article 83(5). The company must appoint an EU representative, rewrite all privacy notices, execute data processing agreements, implement cross-border transfer mechanisms (Standard Contractual Clauses), and conduct a data protection impact assessment for its EU processing activities — a remediation programme that costs EUR 250,000 and takes 6 months. French enterprise clients begin demanding GDPR-compliant data processing addenda as a condition of contract renewal.
A Saudi subsidiary of a multinational company discovers that a database containing personal data of 45,000 Saudi customers was accessed by an unauthorised third party. The IT team identified the breach on a Thursday. The incident report reached the legal team on Sunday. The legal team spent 4 days assessing the scope. The Saudi PDPL (Royal Decree M/19 of 2021) requires mandatory breach notification to SDAIA within 72 hours of becoming aware of the breach. The company is now 7 days past the notification deadline.
SDAIA imposes an administrative sanction for late notification — a separate violation from the underlying breach itself. The double sanction (breach + late notification) results in enhanced penalties. The company must now conduct a full incident response, notify all affected data subjects individually, implement remediation measures, and submit a detailed report to SDAIA. The reputational damage of a data breach that was both suffered and then improperly handled is significantly greater than the breach alone.
The Agence Française Anticorruption (AFA) conducted a mandatory audit of a French company’s SAPIN II compliance programme. The company has all eight pillars in place: code of conduct, whistleblowing mechanism, risk mapping, third-party due diligence, accounting controls, training, disciplinary sanctions, and monitoring. The problem: the risk map was last updated in 2019. The third-party due diligence procedure has never been applied to any actual transaction. The training records show a single online session completed by 60% of staff three years ago. The AFA’s assessment: the programme exists on paper but has never been operationally implemented.
The AFA issues a mise en demeure (formal notice) to the CEO personally, requiring full remediation within 12 months. Failure to comply within the deadline triggers a compliance agreement (convention judiciaire d’intérêt public — CJIP) supervised by the Parquet National Financier (PNF), with fines up to EUR 1 million for individuals and EUR 5 million for the company, plus mandatory external monitoring for 3 years. The CEO faces personal criminal exposure if the programme remains non-compliant after the mise en demeure period.
A GCC company completes a transaction with a counterparty that passed its sanctions screening. Six months later, an enhanced due diligence review reveals that the counterparty’s parent company owns a subsidiary that is on the OFAC Specially Designated Nationals (SDN) list. The OFAC 50 Percent Rule means that any entity owned 50% or more by a designated person is itself blocked — even if that entity is not individually listed. The GCC company’s sanctions screening checked the counterparty’s name against the SDN list but did not screen the counterparty’s ownership structure.
The GCC company has indirect exposure to a sanctioned entity through its transaction relationship. OFAC enforcement can impose civil penalties even for non-wilful violations. The company’s correspondent banking relationships are at risk — US banks that process USD transactions for the company may terminate the relationship upon discovering the sanctions nexus. The company has 30 days to demonstrate that it has terminated the relationship and implemented enhanced screening procedures, or face potential designation itself.
Don't let these problems compound.
Let's solve them together.
We advise financial institutions, DNFBPs, and corporate groups on AML/CFT compliance under UAE Federal Decree-Law No. 20 of 2018 and its implementing regulations — KYC/CDD procedures, transaction monitoring, suspicious activity reporting (goAML), sanctions screening integration, beneficial ownership identification, enhanced due diligence for PEPs and high-risk jurisdictions, and the specific DNFBP obligations under Cabinet Decision No. 10 of 2019 that apply to lawyers, real estate agents, auditors, and dealers in precious metals and stones.
We advise on multi-jurisdictional data protection compliance across four concurrent regimes: EU GDPR (including extraterritorial application to GCC companies under Article 3(2)), UAE PDPL (Federal Decree-Law No. 45 of 2021), Saudi PDPL (Royal Decree M/19 of 2021), and DIFC Data Protection Law 2020. We handle privacy impact assessments, data processing agreements, consent management frameworks, cross-border data transfer mechanisms (SCCs, adequacy assessments), breach notification procedures and timeline management, DPO appointment, and regulatory engagement with the CNIL, SDAIA, and UAE Data Office.
We manage UBO register compliance under UAE Cabinet Decision No. 58 of 2020, including initial filing, ongoing maintenance (15-day update requirement after any ownership change), and remediation of non-compliant registers. We advise on the interaction between UBO requirements and corporate structures involving nominees, trusts, and complex multi-layered holding arrangements — and on the consequences of non-compliance, which include fines, trade licence renewal blocks, and bank account restrictions.
We advise on UAE Competition Law (Federal Decree-Law No. 36 of 2023) — cartel prohibition, abuse of dominance, merger control filing (AED 300 million aggregate UAE-nexus revenue threshold), and dawn raid preparedness. We prepare dawn raid response protocols, train client teams on their rights and obligations during CRC inspections, and represent clients in CRC investigations and proceedings. For Saudi Arabia, we advise on GAC (General Authority for Competition) mandatory pre-completion notifications and the competition review process for M&A transactions.
We design integrated sanctions compliance programmes covering OFAC (SDN, SSI lists and the 50 Percent Rule), EU consolidated sanctions, UN Security Council sanctions, UAE Executive Office sanctions, and GCC domestic sanctions — including automated screening implementation, ownership structure analysis (not just entity-name screening), escalation procedures, OFAC licence application support, and secondary sanctions risk assessment for USD-denominated transactions. For technology companies, we advise on EU dual-use export control obligations under Regulation 2021/821 for transfers to GCC destinations.
Under UAE Cabinet Decision No. 58 of 2020, every UAE company must file a register of ultimate beneficial owners with the Ministry of Economy and update it within 15 days of any change in beneficial ownership. A beneficial owner is any natural person who owns 25% or more of the company’s shares or who exercises effective control regardless of shareholding. Changes that trigger the update obligation include: share transfers, trust restructurings, nominee replacements, new investors acquiring qualifying interests, and changes in the identity of the person exercising effective control. Non-compliance carries fines of up to AED 100,000 per entity, trade licence renewal blocks, bank account restrictions, and — in cases of deliberate misrepresentation — potential criminal liability for directors. The Ministry has been actively enforcing since 2022.
Yes — if your company targets EU data subjects or monitors EU residents’ behaviour. GDPR Article 3(2) applies to any company, regardless of where it is established, that offers goods or services to EU data subjects or monitors their behaviour within the EU. A GCC company with a French-language website, EU marketing campaigns, EU customer accounts, or EU-based employees is almost certainly within scope. The company must appoint an EU representative under Article 27, implement GDPR-compliant privacy notices, execute data processing agreements with EU-based processors, implement cross-border transfer mechanisms (Standard Contractual Clauses or equivalent), and comply with the 72-hour breach notification requirement. The CNIL has been particularly active in enforcing GDPR against non-EU companies with a French customer base. Fines under GDPR can reach 4% of global annual turnover or EUR 20 million, whichever is greater.
Under the Saudi PDPL (Royal Decree M/19 of 2021, effective September 2023), the data controller must notify SDAIA (Saudi Data and Artificial Intelligence Authority) within 72 hours of becoming aware of a personal data breach that is likely to cause harm to data subjects. The notification must include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach. If the breach is likely to result in a high risk to data subjects, the controller must also notify the affected individuals without undue delay. Missing the 72-hour deadline is treated as a separate violation from the underlying breach itself — resulting in a double sanction. Administrative penalties under the PDPL can reach SAR 5 million per violation, and repeated violations can result in doubled penalties.
Immediately suspend the transaction and escalate to senior management and your compliance officer. Conduct an enhanced due diligence review of the counterparty’s full ownership structure, not just the entity name. Under the OFAC 50 Percent Rule, any entity owned 50% or more by a Specially Designated National (SDN) is itself blocked, even if not individually listed. Determine whether the sanctions exposure is through OFAC, EU, UN, or domestic GCC sanctions — each has different blocking requirements and potential exemptions. File a Suspicious Activity Report (SAR) if required under AML/CFT obligations. Consult external counsel on whether a voluntary self-disclosure to OFAC is advisable — voluntary disclosure can reduce civil penalties by up to 50%. Document every step of your response. Do not resume the transaction until you have received a clear legal opinion that the sanctions nexus has been eliminated or that a specific licence or exemption applies.
Yes. UAE Federal Decree-Law No. 36 of 2023 introduced mandatory pre-completion merger notification for transactions that meet the filing thresholds. The CRC (Competition Regulation Committee) must be notified of any merger, acquisition, or joint venture that exceeds AED 300 million in aggregate UAE-nexus revenue (combined revenue of the parties within the UAE). The notification must be filed before closing, and the CRC has a Phase I review period of 90 business days (extendable for Phase II). Failure to notify carries fines and potential unwinding of the completed transaction. The CRC also has dawn raid powers to investigate suspected cartel activity and abuse of dominance. Companies should assess competition filing requirements at the term sheet stage of any M&A transaction, not after signing. The AED 300 million threshold captures many mid-market GCC deals that previously required no competition filing.
GSDA redesigned our entire compliance programme after we expanded from France into the UAE and Saudi Arabia. They identified that our UBO registers were non-compliant, our data protection framework covered only GDPR, and our anti-corruption programme had not been tested since 2019. The integrated framework they built replaced three separate compliance silos with a single programme that actually works under regulatory scrutiny.
Chief Compliance Officer — European Financial Services Group, Regional Operations
Insights
The GSDA advantage
Multi-jurisdictional compliance architecture — we design integrated compliance programmes that satisfy regulators in France, the UAE, and Saudi Arabia simultaneously, avoiding the duplication and inconsistency that arises from jurisdiction-specific programmes designed in isolation. A single compliance framework that addresses SAPIN II, UAE AML/CFT, GDPR, UAE PDPL, and Saudi PDPL is more cost-effective and more effective than five separate programmes.
AFA audit experience — our Paris-based compliance lawyers have prepared companies for AFA audits and designed SAPIN II-compliant programmes from inception, giving us practical experience of the standards French regulators actually apply. We know what the AFA auditor looks for — because we have been in the room when they looked.
Enforcement response capability — when compliance failures occur, we provide rapid-response internal investigation, regulatory engagement, remediation design, and enforcement defence. We contain exposure, cooperate effectively with regulators, and implement the corrective measures that demonstrate genuine compliance commitment — the factors that mitigate penalties in every jurisdiction where we practise.
Our offices
Our regulatory compliance team operates from offices in France, the Gulf, and North Africa — ensuring local expertise wherever your business needs it.
Saudi Arabia Practice
Five offices across the Kingdom — Riyadh, Jeddah, Dammam, Makkah & Madinah — serving Vision 2030 giga-projects, MISA-licensed foreign investors, and international contractors.
Knowledge hub
Key legal terms for regulatory compliance