What sanctions can apply for non-compliance with FATCA, CRS or QI requirements in the UAE?

MoF and domestic regulators may impose administrative penalties for failure to comply with FATCA/CRS and AEOI obligations, including late, missing or inaccurate reporting. CBUAE, SCA, DFSA and FSRA can also take supervisory and enforcement actions such as financial penalties, directions, licence conditions and public enforcement notices for wider control failures, including AML/CFT breaches. From the US side, non-compliance with QI or FATCA can lead to remediation obligations, potential termination of QI status and, in severe cases, 30% withholding on certain US-source payments.

How can UAE financial institutions reduce supervision and enforcement risk?

Key elements include an integrated FATCA/CRS/QI compliance framework aligned with the UAE National AML/CFT Strategy and regulator expectations, robust onboarding and KYC/AML processes that capture required tax information, strong data governance and reconciliations between KYC, AML and reporting systems, regular TIN and classification controls, periodic testing and sample reviews, and timely remediation with clear audit trails for MoF, domestic regulators and IRS reviews.

United Arab Emirates — Supervision & Enforcement (FATCA, CRS/AEOI & QI)

Last updated: 24 Nov 2025

United Arab Emirates — Supervision & Enforcement

Q: Who supervises FATCA/CRS compliance in the UAE?

The UAE Ministry of Finance (MoF) is the Competent Authority for FATCA and CRS and operates the FATCA/CRS reporting portal. Supervision of implementation by specific financial institutions is delegated to sector regulators such as the Central Bank of the UAE (CBUAE), the Securities and Commodities Authority (SCA), the Dubai Financial Services Authority (DFSA), the Abu Dhabi Global Market Financial Services Regulatory Authority (FSRA) and, for certain entities, the Federal Tax Authority (FTA).

Who checks what? The UAE Ministry of Finance (MoF) as Competent Authority for FATCA/CRS, sector regulators such as the Central Bank of the UAE (CBUAE), the Securities and Commodities Authority (SCA), the Dubai Financial Services Authority (DFSA), the Abu Dhabi Global Market Financial Services Regulatory Authority (FSRA) and the Federal Tax Authority (FTA), plus the IRS for the QI regime – a high-level overview of review focus areas, measures, typical findings and sanction risks for UAE banks and other financial institutions.

1) Who supervises what in the UAE?

Authority / Body	Primary focus	Examples of review areas
Ministry of Finance (MoF)	FATCA & CRS / Automatic Exchange of Information	Issuing UAE FATCA/CRS legislation and guidance, operating the FATCA/CRS portal, collecting account data and risk assessments from Reporting UAE Financial Institutions, and exchanging information with the IRS and partner jurisdictions; overall oversight of AEOI implementation and follow-up on significant non-compliance cases.
CBUAE, SCA, DFSA, FSRA, FTA	Regulatory supervision of UAE Reporting FIs	As delegated “Regulatory Authorities” for FATCA/CRS, supervision of implementation by institutions within their remit (e.g. CBUAE for banks and insurers, SCA for certain securities firms, DFSA in the DIFC, FSRA in the ADGM, FTA for certain financial entities); checks on due diligence procedures, internal controls, governance, and quality of reports submitted to MoF.
CBUAE & other regulators	Prudential supervision, risk management & governance	Board and senior management oversight of regulatory and tax reporting, integration of FATCA/CRS/QI risks into risk management, adequacy of internal controls, outsourcing and third-party risk management, IT and data governance supporting AEOI and tax reporting.
CBUAE, SCA, DFSA, FSRA, UAE FIU	AML/CFT supervision	Application of federal AML/CFT laws and regulations, risk-based customer due diligence and ongoing monitoring, transaction monitoring and suspicious transaction reporting via the goAML portal, sanctions and proliferation financing screening, remediation of identified deficiencies and alignment with the UAE National AML/CFT Strategy.
IRS	QI regime & FATCA (US perspective)	Compliance with the QI Agreement, quality of W-8/W-9 documentation and “reason-to-know” reviews, US withholding and reporting on Forms 1042/1042-S, fulfilment of FATCA obligations under the UAE–US IGA, periodic certifications and reviews, and adequacy of remediation for material failures.

2) Possible measures and supervisory responses

MoF & sector regulators (FATCA/CRS) Desk reviews and thematic inspections of FATCA/CRS compliance, requests for additional information and documentation, requirements to file corrected or late reports, and escalation of significant non-compliance to the IRS under the IGA; MoF and domestic regulators can impose administrative penalties for AEOI failures under local law.
CBUAE / SCA / DFSA / FSRA Supervisory findings in inspection reports and letters, requirements for remediation plans and progress reporting, increased supervisory intensity, restrictions or conditions on licences or activities, and – in serious cases – substantial financial penalties and public enforcement notices.
AML/CFT authorities On-site and off-site AML/CFT inspections, directions to improve risk assessments, controls and reporting, administrative and civil penalties for breaches of AML/CFT obligations, and, in more serious or repeated cases, large fines and publication of enforcement actions against firms and individuals.
IRS (QI/FATCA) Remedial obligations (curing documentation, additional withholding, re-reporting), expansion of sample reviews, additional reporting requirements and, where material failures persist, the risk of QI Agreement termination or non-compliant FATCA status with 30% withholding on certain US-source payments.

3) Typical findings (examples)

Documentation and TIN gaps: Missing or invalid US or foreign TINs, incomplete or outdated self-certifications, undocumented accounts with no documented follow-up process, weak evidence of reasonable efforts to obtain AEOI information from recalcitrant clients.
Misclassification of entities and accounts: Incorrect identification of Reporting vs. Non-Reporting Financial Institutions, misclassification of entities as FIs or NFEs (active vs. passive), incorrect residence or controlling person status, inconsistencies between onboarding/KYC records and FATCA/CRS reporting.
Data and system inconsistencies: Breaks between customer master data, AML systems, FATCA/CRS reporting engines and QI documentation; lack of clear data lineage and mappings; limited reconciliations between data provided to MoF, regulators and internal books and records.
Governance and control weaknesses: No clearly designated owner for cross-border tax reporting, insufficient three-lines-of-defence structure, limited management information on error rates, backlogs and remediation status, policies not updated for the latest MoF, CBUAE, SCA, DFSA/FSRA or IRS guidance.
Process and technical issues: Schema and business-rule errors in FATCA/CRS XML filings, missed or late submissions to the MoF portal, inadequate testing after system changes, heavy reliance on spreadsheets and manual workarounds without documented controls or evidence of review.
QI-specific deficiencies: Sample reviews revealing under-withholding or incorrect application of treaty benefits, missing or inconsistent W-8/W-9 forms, insufficient “reason-to-know” checks for red-flag documentation, late or incorrect Forms 1042/1042-S, and remediation steps not recorded in a way that supports Responsible Officer certifications.

4) Sanction risks (high-level)

Tax / reporting penalties: Administrative penalties and other sanctions under UAE law for failures to file, late filing or inaccurate FATCA/CRS returns or other AEOI-related obligations; potential broader tax penalties where misleading or false information is provided.
Regulatory consequences: Enforcement action by CBUAE, SCA, DFSA or FSRA, including significant monetary penalties, conditions or restrictions on licences, and intensified supervision where control weaknesses are serious or repeated.
AML/CFT enforcement risk: Large fines and public enforcement statements for AML/CFT breaches, prohibition orders against individuals, and potential knock-on impact on the institution’s risk rating and access to certain business lines or counterparties.
US-side QI/FATCA risks: Exposure to 30% withholding on US-source payments if the institution is treated as non-compliant for FATCA purposes, limitations or termination of QI status, and broader consequences for US securities and USD clearing activities.
Reputational impact: Public regulatory announcements and media coverage of AEOI, AML or QI-related enforcement can affect perceptions of the institution’s control environment, with potential effects on client relationships, funding costs and group booking-centre decisions.

5) Prevention & remediation

Preventive measures

Maintain an integrated compliance framework for FATCA, CRS and QI that is aligned with the UAE’s National AML/CFT Strategy and the expectations of MoF, CBUAE, SCA, DFSA and FSRA, with clear governance and escalation paths.
Document data lineage and mappings from onboarding and customer master data through to FATCA/CRS reporting and IRS forms; implement reconciliations and quality checks before data is submitted via the MoF portal.
Operate regular TIN, GIIN and status controls (including checks against IRS lists and validation of self-certifications) and proactive client outreach to remediate missing or invalid information well before reporting deadlines.
Align KYC/AML and tax documentation processes so a single onboarding and periodic review cycle supports both AML/CFT and AEOI/QI requirements; ensure that changes captured by AML reviews feed through to FATCA/CRS classifications.
Provide regular training for Front Office, Operations, Tax, Compliance, Risk and IT teams, using recent UAE and international enforcement cases to illustrate how tax reporting and AML control failures can interact.

When findings occur

Conduct a structured root-cause analysis for each material issue, covering policy, process, system and people dimensions; define a remediation plan with clear owners, milestones and due dates.
Maintain a comprehensive audit trail from issue identification through analysis, remediation, re-testing and closure, with documentation that can be shared with MoF, CBUAE, SCA, DFSA, FSRA and the IRS if requested.
Reconcile KYC/AML ↔ FATCA/CRS ↔ QI data sets after corrections to restore consistency, and embed improved controls into business-as-usual processes to reduce the risk of recurrence.
Use independent reviews (internal audit or external advisers) to test the design and operating effectiveness of enhancements and to support Board, senior management and Responsible Officer attestations.

6) Related UAE pages

UAE hub: US tax for banks in the United Arab Emirates – overview
Regulatory framework: Legal sources & responsibilities
Reporting & mechanics: Submission & technical aspects (MoF)

Talk to us Back to UAE hub page

Disclaimer: Specific supervisory expectations, penalties and measures depend on the facts of each case. The applicable UAE legislation, MoF and domestic regulator guidance and – for QI/FATCA – current IRS requirements are decisive. Institutions should monitor updates and, where appropriate, seek professional advice for their particular situation.