UAE Risk Advisory
Governance, Risk & Compliance

Enterprise risk, internal-controls design and the UAE regulatory compliance stack — AML/CFT, Economic Substance, UBO, sanctions and data protection — under one governance framework. Partner-led.

  • Enterprise Risk
  • Internal Controls
  • AML / ESR / UBO
  • Sanctions Screening
  • Governance

One Governance Framework Over a Stack of UAE Obligations

UAE compliance is now a stack: AML/CFT under Federal Decree-Law No. 10 of 2025 (which replaced Decree-Law No. 20 of 2018), Economic Substance under Cabinet Decision No. 57 of 2020, UBO reporting under Cabinet Decision No. 58 of 2020, sanctions screening and data protection. Avyanco's Risk Advisory practice puts one governance, risk and compliance (GRC) framework over the whole stack, running enterprise risk assessment, controls and monitoring.

UAE compliance is no longer a single obligation — it is a stack. Anti-Money Laundering and Counter-Terrorism Financing under Federal Decree-Law No. 10 of 2025 (which replaced Federal Decree-Law No. 20 of 2018), the Economic Substance Regulations (Cabinet Decision No. 57 of 2020), which applied to the 2019–2022 financial years before being discontinued by Cabinet Decision No. 98 of 2024 for periods from 1 January 2023, Ultimate Beneficial Owner reporting under Cabinet Decision No. 58 of 2020, sanctions screening, data protection under the UAE Personal Data Protection Law, plus Corporate Tax and VAT controls. Handled piecemeal, the obligations overlap, conflict and leave gaps that surface in a regulator review.

Avyanco's Risk Advisory practice puts one governance-risk-and-compliance (GRC) framework over the whole stack. We run the enterprise risk assessment, design the internal controls and policies, map each regulatory obligation to an owner and a control, and build the monitoring that evidences compliance. It complements our dedicated AML programme and ties into the internal audit and Corporate Tax work — so risk, controls and compliance are governed as one system, not a drawer of separate certificates.

Avyanco risk advisory team mapping a UAE governance, risk and compliance framework

Risk Advisory Services

Three layers of the GRC framework.

Enterprise Risk & Controls

Risk assessment across the business, a risk register the board owns, and the design of the internal controls that mitigate the priority risks.

  • Enterprise risk assessment & register
  • Internal controls design
  • Policies, SOPs and delegation of authority
  • Risk appetite and reporting
  • Business-continuity planning

Regulatory Compliance

The UAE regulatory stack mapped to owners and controls — Economic Substance, UBO, sanctions screening and data protection — with the filings managed.

  • Economic Substance (ESR) assessment & filing
  • Ultimate Beneficial Owner (UBO) register & filing
  • Sanctions and PEP screening
  • Data-protection (PDPL) review
  • Compliance calendar and monitoring

Governance & Health Checks

Governance framework reviews, compliance health checks and remediation roadmaps — independent assurance that the framework actually works.

  • Compliance health check / gap analysis
  • Governance framework review
  • Remediation roadmap
  • Policy and committee structure
  • Regulator-readiness review

How a Risk Advisory Engagement Works

Five steps from assessment to ongoing monitoring.

  1. 01

    Risk & Obligation Mapping

    Identify the risks and the specific regulatory obligations that apply to the entity — AML, ESR, UBO, sanctions, data protection, tax controls.

  2. 02

    Gap Analysis

    Test current policies, controls and filings against the obligations to surface gaps, overlaps and exposures.

  3. 03

    Framework Design

    Design the GRC framework — risk register, policies, controls, owners and a compliance calendar — proportionate to the business.

  4. 04

    Implementation

    Stand up the controls, complete the outstanding filings (ESR, UBO and others) and put the monitoring in place.

  5. 05

    Monitoring & Review

    Ongoing monitoring, periodic reviews and a refresh as the business and the regulations evolve.

Why Use Avyanco for Risk Advisory

One framework over the whole obligation stack — governed, owned and evidenced.

Enterprise risk assessment and a board-owned risk register

Internal controls designed against the priority risks

Economic Substance (ESR) assessment and filing under Cabinet Decision 57/2020

Ultimate Beneficial Owner (UBO) register and filing under Cabinet Decision 58/2020

Sanctions and PEP screening and a data-protection (PDPL) review

Compliance calendar so deadlines are owned, not missed

Coordinated with the dedicated AML programme and internal audit

Partner-reviewed governance framework and remediation roadmap

The Avyanco Advantage

GRC run as one governed system, not a drawer of separate certificates.

One Framework

AML, ESR, UBO, sanctions, data protection and tax controls governed under a single GRC framework — no gaps between silos.

Obligations Owned

Every regulatory obligation mapped to an owner, a control and a deadline on a live compliance calendar.

Independent Assurance

Compliance health checks and governance reviews that tell the board what actually works — and what needs fixing.

Proportionate

A framework sized to the business — enough control to satisfy the regulator without strangling operations.

Tax-Aware

Controls over Corporate Tax, VAT and transfer-pricing obligations folded into the same framework.

Regulator-Ready

Documentation and evidence packaged so a regulator review is a walk-through, not a scramble.

Meet Our Specialists

Partner-led compliance practice — Avyanco's risk and compliance team works alongside the audit and tax leads.

Vikas Dhingra, CFO at Avyanco

Vikas Dhingra

Chief Financial Officer · Tax & Structuring

Chandy Joseph, Sales Director at Avyanco

Chandy Joseph

Sales Director · UAE Company Setup

Ishan Naruka, Head of Growth at Avyanco

Ishan Naruka

Head of Growth · Free Zones & Expansion

Pritesh Mehta, Head of Operations at Avyanco

Pritesh Mehta

Head of Operations · Visas & PRO Services

Why Groups Choose Avyanco for Risk Advisory

Three things that come up in every GRC engagement.

Avyanco partner closing a UAE risk and compliance engagement

Whole-Stack View

AML, ESR, UBO, sanctions and data protection governed together — the gaps between separate obligations are where exposure hides.

Controls That Hold

Internal controls designed against a real risk assessment and tested for operating effectiveness — not policies that sit on a shelf.

Audit-Linked

Risk and controls tie into internal and external audit — one coherent assurance picture for the board.

What Clients Say

Recent feedback from groups Avyanco runs risk and compliance work for.

UAE Risk Advisory — Frequently Asked Questions

Common questions about governance, risk and compliance in the UAE.

What does Risk Advisory cover that the AML service does not?
Our dedicated AML service runs the anti-money-laundering programme specifically — risk assessment, policies, screening, goAML registration and reporting. Risk Advisory is the umbrella: enterprise risk, internal controls and the wider regulatory stack (Economic Substance, UBO, sanctions, data protection and tax controls) governed under one framework, with AML as one component.
What are the main UAE compliance obligations?
For most entities the core stack is: AML/CFT under Federal Decree-Law No. 10 of 2025 (for entities in scope), the Economic Substance Regulations (Cabinet Decision No. 57 of 2020), which applied to the 2019–2022 financial years before being discontinued by Cabinet Decision No. 98 of 2024 for periods from 1 January 2023, Ultimate Beneficial Owner reporting under Cabinet Decision No. 58 of 2020, sanctions screening, data protection under the UAE Personal Data Protection Law, plus Corporate Tax and VAT controls. Which apply depends on the entity's activity and licence — Avyanco scopes this at the start.
What is Economic Substance Regulation (ESR)?
ESR (Cabinet Decision No. 57 of 2020) requires UAE entities carrying on a 'Relevant Activity' to demonstrate adequate economic substance in the UAE and to file an ESR notification and, where in scope, an ESR report. Avyanco assesses whether a Relevant Activity is carried on and manages the notification and report.
What is UBO filing?
Ultimate Beneficial Owner regulations (Cabinet Decision No. 58 of 2020) require most UAE entities to maintain a register of their beneficial owners and to file it with the licensing authority, keeping it current as ownership changes. Avyanco prepares and maintains the UBO register and manages the filing.
Do you provide legal advice?
No. Avyanco provides risk, controls and compliance advisory — framework design, assessments, filings and monitoring. We are not a law firm and do not provide legal opinions; where a legal opinion is needed we work alongside your appointed legal counsel.
Sources & official references

UAE Ministry of Finance · UAE Ministry of Economy

Verification & independence

Content prepared from publicly available UAE regulatory sources — Federal Decree-Law No. 10 of 2025 on anti-money laundering (which replaced Federal Decree-Law No. 20 of 2018), Cabinet Decision No. 58 of 2020 on Ultimate Beneficial Owners, and Federal Decree-Law No. 45 of 2021 on Personal Data Protection — as of June 2026. Note: the Economic Substance Regulations (Cabinet Decision No. 57 of 2020) were discontinued by Cabinet Decision No. 98 of 2024 for financial years beginning on or after 1 January 2023, and now apply only to the 2019–2022 financial years. Avyanco Business Consultancy LLC is independent of all UAE government authorities and provides compliance advisory, not legal advice.

Regulatory obligations, thresholds, relevant activities and filing requirements evolve and depend on the entity's activity and licence. Always confirm the current rules for your specific entity directly with the relevant authority and a qualified adviser before acting on any fact on this page.

Get expert advice

Speak to a UAE specialist

Tell us what you need and a senior advisor will respond within one business day — no obligation.

  • Partner-led — you speak to a senior advisor, not a junior analyst
  • A straight answer on the right structure, cost and timeline
  • A reply within one business day, every time
  • A free, no-obligation 30-minute scoping call

Confidential · A senior partner responds within one business day

Need Your Compliance Stack Governed?

Book a partner-led conversation on enterprise risk, internal controls or the UAE regulatory stack — AML, ESR, UBO, sanctions and data protection under one framework.

Book a Consultation