HONG KONG · EAST ↔ WEST
info@lockhartyip.comResponse within 4 hours (UTC+8)
Discuss your matter
Home/Insights/Disputes & Arbitration
Sanctions & AML

A practical guide to sanctions due diligence for a deal touching the UAE

Sanctions due diligence for a deal touching the UAE. A practical guide for in-house counsel. A note for cross-border groups. Write to info@lockhartyip.com.

A deal with a UAE counterparty, an asset in Dubai, or a payment channel running through an Emirati bank sits at the intersection of at least three distinct sanctions regimes – and possibly a fourth. The question for the in-house counsel or principal is not whether sanctions due diligence is required. It is where to start, what sequence to follow, and at which gate to stop and reassess.

Sanctions due diligence for a deal touching the UAE requires a structured, multi-regime review covering the United Nations sanctions framework, the UAE's own domestic sanctions apparatus, and the sanctions postures of any other jurisdiction whose law touches the transaction – including, where Hong Kong entities or payment channels are involved, the position under Hong Kong law. The governing instruments include the United Nations Sanctions Ordinance (Hong Kong), the UAE's Federal Decree-Laws on combating money laundering and terrorism financing, and the FATF-standard customer due diligence rules that apply to financial intermediaries in both jurisdictions. There is no single global licence or clearance; the diligence is jurisdiction-by-jurisdiction and counterparty-by-counterparty.

This guide sets out the decision the reader faces, the sequence of steps in order, the gate at each step, the common mistakes, and a closing checklist. It is written for in-house counsel, compliance officers, and advisers working on transactions with a UAE element and a cross-border payment or holding structure running through Hong Kong or another common-law centre.

Why the UAE raises a specific sanctions-diligence question

The UAE is not a sanctioned jurisdiction. That is the starting point – and also, for many practitioners, the source of the error. Precisely because the UAE is open, internationally connected, and deeply integrated into global banking and trade finance, it attracts counterparties and structures that may themselves carry sanctions exposure. The UAE's Financial Intelligence Unit and its Executive Office for Control and Non-Proliferation have published designated-party lists that do not map identically onto UN lists or the lists of other major regimes. A counterparty clean under one list may appear on another.

The cross-border dimension matters immediately. Hong Kong implements United Nations sanctions and does not give domestic effect to unilateral measures of other states. That is a factual and legally significant position. It means that a Hong Kong entity transacting with a UAE counterparty operates under the UN framework – not, as a matter of Hong Kong law, under the unilateral measures of the United States, the United Kingdom, or the European Union. But where a payment channel, a correspondent bank, a custodian, or a clearing mechanism involves institutions subject to those other regimes, the practical exposure is real and must be assessed separately. In our cross-border practice, the failure to distinguish the legal position from the commercial reality is the single most common analytical error we see.

The UAE joined the Financial Action Task Force (FATF, the international standard-setter for anti-money laundering and counter-terrorist financing) and has made substantial regulatory reforms following its 2022 FATF grey-listing and subsequent exit from the grey list in 2024. Those reforms changed the due-diligence environment: UAE financial institutions now apply more rigorous customer due diligence, source-of-funds verification, and transaction monitoring. A deal structured before 2024 may have passed through channels that would now face additional scrutiny. Parties should verify the current position before relying on prior diligence files.

Step one: Map the transaction's jurisdictional footprint before touching the counterparty file

The first step is a jurisdictional map of the deal itself – not the counterparty – because the map determines which sanctions regimes are legally applicable and which are commercially relevant. These are two different questions, and conflating them wastes time and produces the wrong answers.

Start with the legal entities involved. For each entity – buyer, seller, target, guarantor, trustee, custodian – record its jurisdiction of incorporation, its jurisdiction of operations or management and control, and the nationality or residence of its ultimate beneficial owners (UBOs, the natural persons who ultimately own or control the entity). This is the corporate-law layer.

Next, map the payment channels. Where is the transaction account held? What currency denominates the consideration? Which correspondent banks, clearing systems, or custodians will touch the funds? A payment in US dollars almost certainly transits a US correspondent, bringing the US Office of Foreign Assets Control (OFAC, the US Treasury's sanctions enforcement body) into the picture as a commercial matter, even if OFAC rules are not binding on a Hong Kong or UAE entity as a matter of law. A euro payment may transit EU clearing. Sterling touches UK infrastructure. Each leg of the payment chain carries its own practical exposure.

Finally, identify the governing law and dispute forum for the transaction documents. If the contract provides for arbitration seated in Hong Kong under the Arbitration Ordinance (Cap. 609), or for litigation before the Court of First Instance, the Hong Kong legal position is directly engaged. If the governing law is English law or New York law, the adviser must flag the additional regime exposure to the client immediately.

The gate at step one is a written jurisdictional-footprint note. Do not open the counterparty file until this note exists. It tells you which lists to screen against and which payment channels require their own review.

Step two: UN list screening and the UAE domestic-designation review

Once the footprint note is complete, the counterparty screening begins. The primary screen is the UN consolidated sanctions list, administered through the UN Security Council's committees. This is the baseline applicable in both Hong Kong (under the United Nations Sanctions Ordinance) and the UAE (under its own domestic AML and sanctions legislation). A match on the UN list is a hard stop.

The UAE maintains its own designation lists, published by the UAE Executive Office for Control and Non-Proliferation. These do not replicate the UN list verbatim. Individuals and entities may appear on the UAE list who do not appear on the UN list, and vice versa. For a deal with UAE counterparties, a UAE domestic-list check is mandatory in addition to the UN screen. In our cross-border practice, we regularly see diligence files that run the UN screen and stop there – missing UAE-specific designations that are directly relevant to the transaction.

For each counterparty and each UBO, run the screen against: (1) the UN consolidated list; (2) the UAE domestic designation list; and (3) any other list applicable as a matter of law given the footprint (for example, the HKSAR sanctions notices published under the United Nations Sanctions Ordinance). Record the date of the screen, the database version used, and the outcome for each name searched. Where a name produces a potential match, apply a false-positive analysis (a structured comparison of identifiers – date of birth, nationality, address, associated entities – to determine whether the match is the same person or a name coincidence). Document the analysis and the conclusion.

The gate at step two is a clean-screen certificate or a documented false-positive clearance. Any unresolved potential match is a hard stop: the deal does not proceed to step three until the match is resolved or a qualified legal opinion addresses the position.

Step three: Source-of-funds and UBO tracing for UAE structures

A clean sanctions screen is necessary but not sufficient. For UAE transactions, source-of-funds and UBO tracing is a separate and equally important step. The UAE corporate environment includes free-zone entities, Special Purpose Vehicles (SPVs, entities incorporated solely to hold a specific asset or interest), and structures layered across multiple offshore jurisdictions – BVI, Cayman, and sometimes Liechtenstein or Cyprus. Each layer requires penetration to reach the natural persons who ultimately control and benefit.

The Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Hong Kong) requires any person who is a designated non-financial business and profession or a financial institution to conduct customer due diligence and to identify and verify UBOs. Where the Hong Kong entity or adviser is caught by these obligations, the standard requires penetrating the ownership chain to the natural person, regardless of the number of intermediate layers.

For UAE structures specifically, request and review: the constitutional documents of each entity in the chain; the UAE commercial licence or free-zone registration certificate; the register of shareholders or members; any nominee arrangements and their underlying principals; and the source-of-funds declaration, supported by documentary evidence (bank statements, sale proceeds documentation, tax returns, or equivalent). Where a layer sits in a jurisdiction with a beneficial-ownership registry (a public or government-accessible register of ultimate beneficial owners), request the registry extract and reconcile it with the self-declared UBO information.

The common mistake here is accepting the self-declared UBO at face value without documentary corroboration. A structure that presents a UAE national as the sole UBO of a BVI holding company controlling a Cayman SPV requires the same penetration as any other layered structure. The number of layers is not, in itself, suspicious; the absence of coherent documentation for each layer is.

The gate at step three is a complete, documented UBO map with corroborating evidence for each natural person identified, and a source-of-funds trail that traces the relevant assets to a plausible and documented origin. Where the trail cannot be completed – for example, because an intermediate layer is in a jurisdiction that does not maintain an accessible registry – document the gap, the steps taken to close it, and the residual risk assessment.

Step four: Payment-channel risk assessment and the banking-access question

The payment channel is where enforcement exposure is most acute. This is the centre of gravity for compliance work on UAE transactions. A transaction that clears all prior gates can still be blocked, delayed, or unwound at the banking layer if a correspondent institution applies a more restrictive screen than the parties anticipated.

Map each leg of the payment: the originating account, the correspondent or clearing institution, and the beneficiary account. For each institution in the chain, identify the regulatory regime to which it is subject. A US correspondent bank is subject to OFAC rules regardless of where its counterparty is incorporated. A UK-regulated institution is subject to UK sanctions. An EU institution is subject to EU sanctions regulations. The practical effect is that a payment structure that is legally compliant under Hong Kong and UAE law may still face a refusal or a freeze at a correspondent leg.

This is not a reason to avoid the transaction. It is a reason to structure the payment chain with eyes open. In our cross-border practice, the most effective approach is to document the compliance position at each leg before the payment instruction is issued – not after. A correspondent that receives a payment with a complete, pre-prepared compliance file attached is in a materially different position from one receiving a bare instruction for a transaction it has not previously seen.

Where a payment channel is assessed as carrying elevated risk – for example, because a correspondent has previously queried transactions of a similar type, or because the ultimate beneficiary is in a jurisdiction that generates heightened scrutiny – consider whether an alternative channel is available, whether the transaction can be restructured to reduce the correspondent exposure, or whether a legal opinion addressed to the banking institution is appropriate. The question is never whether to circumvent the system; it is how to demonstrate, proactively, that the transaction is clean.

For further context on the Hong Kong legal position on sanctions and payment channels, see our analysis at sanctions-neutral contracting approach through Hong Kong and our guide to Hong Kong's sanctions posture in cross-border transactions.

The gate at step four is a written payment-channel risk assessment, confirmed with the relevant banking institutions before the transaction closes. Where a confirmation cannot be obtained in advance, the risk assessment must be documented and disclosed to the client, who should make an informed decision about proceeding.

The sequence above describes the standard position. Your matter turns on the documents, the jurisdictions actually engaged, and the order of steps – which is where the route is won or lost. For a structured assessment of your payment-channel exposure across the relevant jurisdictions, write to us at info@lockhartyip.com.

Step five: Contract documentation and the compliance representations

Sanctions due diligence does not end with the pre-closing screen. The transaction documents must reflect the compliance position and provide the parties with workable mechanisms if the position changes after signing.

The minimum documentation standard for a UAE-connected deal includes: a sanctions representation and warranty by each party, addressing the UN framework and (where applicable by governing law) any additional regime; a sanctions event of default or termination right, triggered by a post-signing designation of a party or its UBO; a change-of-control notification requirement; and an obligation to maintain and update the UBO disclosure during the term of the agreement.

Where the governing law is not Hong Kong law, the representations should be drafted to reflect the applicable regime. A contract governed by English law should address the UK sanctions framework. A contract governed by New York law should address OFAC. Where the governing law is UAE law, the representations should address the UAE domestic framework. In each case, the representation should be limited to the law that actually binds the party making it: a Hong Kong entity cannot warranting compliance with a regime to which it is not subject as a matter of law, and such a warranty creates unnecessary and unquantifiable exposure.

The material adverse change clause (MAC clause, a provision allowing a party to exit if a fundamental adverse development occurs before closing) is a related point. A post-signing designation of a key counterparty or its principal is a paradigm MAC event. Ensure the clause is drafted to capture it explicitly, particularly where the designation could affect banking access, regulatory approval, or the commercial rationale of the deal.

The gate at step five is execution of transaction documents that contain, at minimum, the four elements above. Where the governing law counsel has not addressed the sanctions provisions specifically, flag the gap before signing.

The common mistake: treating sanctions due diligence as a one-time screen

The error we see most consistently – in files that have passed internal compliance review and in transactions that are already in dispute – is treating the sanctions screen as a point-in-time exercise completed at signing and then filed. Sanctions lists are updated continuously. The UN Security Council's committees meet regularly. The UAE Executive Office issues new designations without advance notice. A counterparty that was clean on the day of the screen may not be clean six months later.

For any transaction with a duration extending beyond closing – a joint venture, a loan, a supply arrangement, an investment with ongoing management rights – the diligence programme must include periodic rescreening. The interval should be proportionate to the risk: a higher-risk structure or counterparty warrants more frequent review. Document each rescreening in the same format as the initial screen.

A related error is failing to resscreen on trigger events: a change of control of the counterparty, a change in the UBO declaration, a request to redirect a payment to a new account or entity, or a press report of regulatory investigation involving the counterparty or its principals. Each of these is a trigger for an immediate out-of-cycle screen and a documented risk assessment. If an earlier filing, structure, or diligence attempt produced an adverse or stalled result, a second review can identify the gap and the routes still open.

If you have an existing UAE transaction file that has not been rescreened since closing, or where the initial diligence did not address the UAE domestic-designation list or the payment-channel layer, contact us at info@lockhartyip.com to discuss a structured review.

Decision checklist: before the deal proceeds

The following checklist consolidates the gates described above. It is a starting point, not a substitute for legal advice on a specific transaction.

  • Is the jurisdictional-footprint note complete, covering all entities, all UBOs, and all payment-channel legs?
  • Has each counterparty and each UBO been screened against the UN consolidated list, the UAE domestic-designation list, and any additional list applicable given the footprint?
  • Where a potential match was identified, has a false-positive analysis been documented and concluded?
  • Has the UBO chain been penetrated to the natural-person level, with documentary corroboration for each layer?
  • Has the source-of-funds trail been documented, and are the gaps (if any) assessed and disclosed?
  • Has each leg of the payment channel been identified, with the regulatory regime of each institution noted?
  • Has the payment-channel risk assessment been confirmed with the relevant banking institutions before the instruction is issued?
  • Do the transaction documents contain a sanctions representation, a sanctions event of default or termination right, a change-of-control notification requirement, and an ongoing UBO-disclosure obligation?
  • Is there a programme in place for periodic rescreening and for out-of-cycle rescreening on trigger events?
  • Has the entire diligence file been reviewed by qualified international counsel with experience in Hong Kong, UAE, and UN sanctions frameworks?

For further context on the governing framework and Hong Kong's posture, see our Sanctions & AML practice page.

Related practices

  • Sanctions & AML – cross-border sanctions compliance, AML, and counterparty risk for international groups
  • Corporate Counsel – transaction support, contract documentation, and governance for cross-border deals

Frequently asked questions

How long does sanctions due diligence for a deal touching the UAE usually take?
The duration depends on the complexity of the counterparty structure, the number of jurisdictional layers, and the responsiveness of the counterparty in providing UBO and source-of-funds documentation. A straightforward bilateral transaction with a single UAE entity and a clear ownership chain can be completed in a matter of days. A layered structure involving multiple offshore entities, multiple UBOs across different nationalities, and a multi-leg payment channel will take longer – particularly where documentary gaps require follow-up or where a potential sanctions-list match requires a detailed false-positive analysis. Parties should build diligence time into the deal timetable from the outset; retrofitting it under closing pressure produces errors.
Which jurisdiction's law applies to sanctions due diligence for a deal touching the UAE?
There is no single answer. The legally applicable sanctions regime depends on the jurisdiction of incorporation and operations of each party, the currency and payment infrastructure used, and the governing law of the transaction documents. Hong Kong implements United Nations sanctions and does not give domestic effect to unilateral measures of other states; that is the position under Hong Kong law for Hong Kong entities. The UAE applies its own domestic sanctions framework alongside the UN framework. Where the payment channel involves US-dollar clearing, UK-regulated institutions, or EU-regulated infrastructure, those regimes become commercially relevant even if they are not binding on the parties as a matter of their own law. A properly structured diligence file addresses each applicable and commercially relevant regime in turn, and records the legal basis for each assessment.
What is the first step in sanctions due diligence for a deal touching the UAE?
The first step is a jurisdictional footprint map of the transaction itself – not the counterparty screen. Before any list is consulted, the adviser must identify every legal entity involved, every UBO, and every leg of the payment chain, and record which sanctions regimes are legally applicable and which are commercially relevant to each element. This map determines which lists to screen against and which payment-channel institutions require their own assessment. Skipping this step and going directly to a counterparty screen against a single list is the most common structural error in sanctions due diligence for cross-border transactions.

Speak with Lockhart & Yip

For a scoped view of your matter, contact info@lockhartyip.com. Discuss your matter →

Related

This publication is general information and does not constitute legal advice. For advice on your situation, contact info@lockhartyip.com.

This site uses only strictly necessary cookies. Non-essential cookies are declined by default. Cookie policy