DIFC and ADGM are both common law financial centres operating in the UAE, but their CDD regimes are not interchangeable. The DFSA and the FSRA have aligned core principles with FATF, but they diverge on documentation standards, beneficial ownership approach, screening expectations, and the treatment of group reliance. Firms that operate across both need methodology that respects the differences, not a single framework with a UAE label on it.
The Gulf is more interesting than most UK firms realise. The two leading financial free zones, the Dubai International Financial Centre and the Abu Dhabi Global Market, are both common law jurisdictions with sophisticated regulators, English-language rulebooks, and active financial services sectors. Both regulate broadly to FATF standards. Both operate independently of the wider UAE federal regime. And both have genuinely different expectations about how firms should approach customer due diligence.
I spend a meaningful portion of my time helping UK-headquartered firms build CDD frameworks that work in the Gulf. The most consistent mistake I see is firms treating DIFC and ADGM as if they were one regulatory environment with two postcodes.
Both regulators sit within FATF-aligned frameworks. The DFSA's Anti-Money Laundering, Counter-Terrorist Financing and Sanctions Module and the FSRA's Anti-Money Laundering and Sanctions Rules and Guidance both require firms to apply a risk-based approach, conduct customer due diligence at onboarding, refresh CDD periodically, and report suspicious activity to the UAE Financial Intelligence Unit. Both require enhanced due diligence for high-risk relationships, both require politically exposed person screening, and both require sanctions screening against UN, OFAC, and UAE-specific lists.
The framing language is similar enough that a casual reading suggests the regimes are interchangeable. They are not.
The first divergence is on beneficial ownership. Both regimes require firms to identify beneficial owners, but the approach has moved in different directions. The DFSA's March 2026 update to its AML, Counter-Terrorist Financing and Sanctions Module shifted to a risk-based approach without a fixed percentage threshold, requiring firms to apply judgement rather than rely on a bright-line test. The ADGM continues to operate alongside the Beneficial Ownership and Control Regulations 2022, which use 25 percent as the test for ADGM corporate registration purposes, although the FSRA's CDD obligations sit alongside that framework rather than collapsing into it. Firms that apply a single percentage rule and assume it satisfies both regulators are working from a model that is now outdated on the DFSA side.
The second is on documentation standards. The DFSA places weight on certified copies and notarised translations for documents originating outside the DIFC. The FSRA accepts a wider range of authentication methods, including digital identity verification through approved providers. A firm that builds its document collection process around DFSA expectations may find it is doing more work than ADGM requires. A firm that builds for ADGM expectations and assumes DFSA will accept the same evidence will find that documentation is rejected.
The third is on group reliance. Both regimes permit firms to rely on CDD performed by another regulated entity in their group, subject to conditions. The conditions diverge. The DFSA imposes specific written agreement requirements and quality assurance obligations on the relying firm. The FSRA's framing is broader but still requires evidence that the relied-upon CDD meets the FSRA's standards. A reliance arrangement that works in the DIFC may not satisfy the FSRA without additional documentation.
The fourth is on screening expectations. Both require sanctions and PEP screening, but the lists, the screening frequency expectations, and the false positive resolution standards differ. The UAE federal sanctions list applies in both. The local lists do not always align. In our experience, adverse media practice has tended to develop more visibly in some DIFC firms than in their ADGM counterparts, although the published rulebook expectations on adverse media screening are broadly comparable across the two regulators.
The fifth, and the one that catches firms out most often, is on data residency. Both regulators have views on where regulated data is held, processed, and transferred. The DFSA's data protection regime and the ADGM's are both based on common law principles, but the implementation details differ. A CDD platform that is acceptable in one may not be acceptable in the other without additional configuration.
A firm operating in both centres needs methodology that respects both regimes without duplicating effort. The right answer is not two separate frameworks, because that produces operational friction and inconsistent client experience. The right answer is also not one framework averaged across the two, because averaging creates blind spots in both directions.
The right answer is a single methodology with jurisdiction-aware logic. The risk assessment runs on common principles, but the documentation requirements, the screening logic, the reliance treatment, and the data handling all vary by where the relationship is booked. The methodology is documented in a way that allows the firm to demonstrate, to either regulator, that the framework respects that regulator's specific expectations.
This is harder to build than a single framework. It is also significantly easier than running two parallel frameworks, and it scales better when the firm expands into Saudi Arabia, Kuwait, Qatar, or the wider UAE federal regime. The same architecture that handles DIFC and ADGM can accommodate SAMA, CBK, QCB, and QFCRA, provided the methodology is configurable rather than hard-coded.
The UAE came off the FATF grey list on 23 February 2024. The expectation that comes with that is real. Both the DFSA and the FSRA have continued to raise their supervisory intensity in the years since. Enforcement action across the Gulf is up. Fines are up. Public censure is up. The regulators have made clear that grey list removal was a milestone, not a finish line, and that firms operating in their jurisdictions are expected to operate to standards that justify the UAE's position outside the grey list.
The firms that adapted early to this shift are now competing on the basis of regulatory maturity. The firms that have not are running compliance frameworks built for a softer supervisory environment, and the gap between where their frameworks are and where they need to be is wider than they often realise.
| Area | DIFC (DFSA) | ADGM (FSRA) |
|---|---|---|
| Rulebook | Anti-Money Laundering, Counter-Terrorist Financing and Sanctions Module (AML) | Anti-Money Laundering and Sanctions Rules and Guidance (AML) |
| Beneficial ownership | Risk-based, no fixed percentage threshold (March 2026 module update) | 25% test under BOCR 2022 for registration; CDD obligations sit alongside |
| Document authentication | Weighted toward certified and notarised copies | Wider acceptance including approved digital ID |
| Group reliance | Specific written agreement and QA obligations | Broader framing, evidence of equivalence required |
| Data protection regime | DIFC Data Protection Law (Law No. 5 of 2020) | ADGM Data Protection Regulations 2021 |
| STR reporting | Direct to UAE FIU via goAML; DFSA acts as supervisor | Direct to UAE FIU via goAML; FSRA acts as supervisor |
None of these differences make either regime harder or easier in absolute terms. They make them different. A firm that respects the difference can operate efficiently in both. A firm that does not will eventually find that one regulator is asking questions the firm's framework was not designed to answer.
Verigrade Gulf is a CDD risk engine purpose-built for DIFC, ADGM, SAMA, CBK, QCB, and QFCRA. One codebase, six regulatory content bundles, jurisdiction-aware methodology, and data residency aligned to each regulator.