In application of the provisions of this Decree by Law, the following words and phrases shall have the meanings assigned to each of them, unless the context otherwise requires:
State: United Arab Emirates.
The Cabinet: The Council of Ministers of the UAE.
Ministry: Ministry of Finance.
Minister: Minister of Finance.
The Central Bank: The Central Bank of the United Arab Emirates.
Governor: Governor of the Central Bank.
Concerned Authorities: Authorities specified in the Executive Regulations of this Decree by Law.
Platform: “Know Your Client” (KYC) Digital Platform.
Company: The company established pursuant to the provisions of this Decree by Law for the purpose of creating and managing the platform to carry out the tasks of collecting, analysing, utilising, exchanging, and trading KYC data, as well as issuing KYC reports.
Provider: Any authority provides the necessary data to the platform in accordance with the provisions of this Decree by Law and its Executive Regulations. This includes federal and local governmental authorities and institutions, private sector companies and institutions operating within the state or in free zones, financial institutions, insurance companies, and insurance-related professions licensed by the Central Bank, or any other authority deemed by the company as a potential data provider.
Client: Any natural or legal individual who consents to obtaining KYC report concerning such individual.
User: The authority entitled to obtain KYC report in accordance with the provisions of this Decree by Law and its Executive Regulations.
Data of “Know your Client”: Data, information, documents, and official papers related to the client, which shall be provided to the user to enable prior verification of the client in accordance with the provisions set forth in the Executive Regulations hereof.
Report of “Know your Client”: A report issued by the company based on the client approval and the user request, including KYC data.
Client Approval: Prior approval from the client, whether in writing, digitally or by any other legally acceptable means, in accordance with the purposes specified in this Decree-Law and its Executive Regulations.
Codes of Conduct: A binding set of controls applied to the data provider and user to regulate the processes of requesting, collecting, storing, analysing, classifying, using, trading, and exchanging KYC data. It also outlines mechanisms for resolving disputes and determining the operational policies and procedures related to such data.
 

This Decree by Law aims to:
1. Develop the financial infrastructure and enhance digital transformation within the state;
2. Verify the client identity and assess their compliance with the financial and other applicable regulations and legislation in force within the state;
3. Provide the necessary data and information to the user to enhance transparency in financial transactions;
4. Regulate the collection, analysis, classification, and use of KYC data within the state; and
5. Facilitate the exchange of information and cooperation in combating financial crimes.
 

The provisions of this Decree by Law shall apply to the following:
1. The company, data provider, client, and user; and
2. Any party involved with KYC data, as specified by the Executive Regulations hereof.
 

1. In the implementation of the provisions hereof, a company shall be incorporated to develop and manage the KYC Platform. Such company shall possess the legal personality and capacity necessary to carry out activities and shall be subject to the provisions of Federal Decree by Law No. (32) of 2021 regarding commercial companies, as amended, or any other alternative law, unless a special provision is stipulated herein or the company articles of association; and
2. The company shall have a board of directors consisting of no fewer than seven (7) members and no more than eleven (11) members, including the Chairman of the Board. The Board shall be chaired by one of the assistants to the Central Bank Governor. The Central Bank shall prepare the company articles of association in coordination with the Ministry, which shall be issued by a resolution of the Cabinet based on the proposal of the Minister. The articles of association shall include all provisions regulating the company, including the following:
    a. The company name and legal form;
    b. Ownership of the company, its headquarters, and branches;
    c. The company objectives, its issued and authorised capital, and the method of payment thereof;
    d. Procedures and provisions for increasing or decreasing the company capital;
    e. Formation of the Board of Directors, the method of appointing its members, and determination of the competences, powers, and remuneration of its members;
    f. Composition, competences, and powers of the General Assembly;
    g. The company operating system;
    h. Company dissolution and liquidation; and
    i. The minimum ownership of the Federal Government in the company capital, the nature of the shares it holds, and the rights granted by these shares to the Federal Government to vote on the resolutions of the General Assembly.
 

In addition to the activities stipulated for the company under its articles of association, such company shall undertake the following activities:
1. Establishing and managing the Platform;
2. Regulating the processes of collecting, storing, analysing, classifying, using, sharing, and exchanging KYC data in compliance with the state cybersecurity policies, standards, and guidelines;
3. Issuing KYC reports and any related reports or products, in accordance with the controls defined by the Executive Regulations hereof;
4. Coordinating with the data provider to regulate the acquisition of KYC data; and
5. Preparing and developing tools and standards related to risk assessment.
 

Taking into account the provisions of the company articles of association and the controls and resolutions, issued by the Central Bank, in accordance with the provisions of Article (12) hereof, the company shall be obligated to the following:
1. Not to disclose or reveal any KYC data in its possession to others, except as stipulated in this Decree by Law and its Executive Regulations;
2. Implement modern systems for processing KYC data and reports in accordance with the controls and specifications defined by the Executive Regulations hereof;
3. Protect KYC data transmitted through the Platform from loss, damage, unauthorised or unsafe access, usage, or modification, including the development of tools and measures to handle emergency situations;
4. Comply with the use of KYC data in accordance with the provisions stipulated in this Decree by Law, its Executive Regulations, and the resolutions issued by the Central Bank; and
5. Notify the Central Bank of any violations of the provisions and Executive Regulations hereof.
 

1. The client has the right to access the details of KYC report in accordance with the controls outlined by the Executive Regulations or as approved by the Central Bank;
2. The company shall not be liable for any errors in the KYC data provided by the data provider, unless such errors result from negligence of such company or one of its employees; and
3. The Executive Regulations hereof shall specify the procedures and provisions for processing requests to amend KYC reports based on the client request.
 

1. The company shall enter into an agreement with the data provider to regulate the mechanisms for providing, using, and exchanging KYC data, including terms and conditions for protecting such KYC data and ensuring confidentiality;
2. The data provider shall be committed to supplying the company with the requested KYC data, in accordance with the agreement concluded between them, without imposing any financial burdens on such company; and
3. The Executive Regulations hereof shall specify the necessary client data for the Platform that the data provider may supply to the company.
 

The company shall be prohibited from using, trading, or exchanging KYC data for purposes other than those stipulated in this Decree by Law and its Executive Regulations.

1. The user shall obtain the client approval before requesting KYC report. The company shall be required to develop the necessary procedures or laws to ensure that such client approval is obtained for any report requested by such user in this regard; and
2. Notwithstanding the provisions of Paragraph (1) of such Article, the user may, upon an order from the judge of urgent matters, request the company to issue KYC report regarding any person indebted to such user, in accordance with the controls specified by the Executive Regulations hereof.
 

Subject to the provisions of Article (10) of this Decree by Law, KYC data shall be confidential by nature and shall be used exclusively among the parties specified herein and its Executive Regulations. Such data shall not be accessed or disclosed, directly or indirectly, to any user except with the client approval or the approval of the heirs, the legal representative, or an authorised agent, or based on a request from the competent judicial authorities to the extent necessary for investigations and proceedings pending before such authorities.

The Central Bank, in its capacity as the competent regulatory authority over the company activities pursuant to such Decree by Law and its Executive Regulations, shall have the following competences:
1. Monitoring and supervising the proper performance of the company assigned tasks;
2. Setting controls under which the company may conduct its activities and provide services;
3. Formulating and issuing codes of conduct applicable to the data provider and user;
4. Specifying the data and information related to the client that the company may request from data providers; and
5. Issuing any instructions or resolutions to the company in line with the provisions of this Decree by Law, its Executive Regulations, and applicable state laws.

KYC database shall be linked, as specified by the Executive Regulations hereof.

1. A penalty of imprisonment for a period that is not less than (2) two years and a fine that is not less than (AED 50,000) Fifty Thousand Dirhams or one of these two penalties, shall be imposed on:
    a. Disclosing KYC data or report in circumstances not authorised under the provisions hereof and its Executive Regulations;
    b. Obtaining KYC report or gaining access without the required approval under the provisions hereof and its Executive Regulations, or through fraudulent means or false information;
    c. Violating the confidentiality required for KYC data or report;
    d. Wilfully misrepresenting data or providing false information to the company.
2. It shall be an aggravating circumstance if a public employee or any employee of the company commits any of the offences, specified herein and its Executive Regulations; and
3. The imposition of the penalties stipulated herein shall not prejudice any severer penalty stipulated in any other law, nor shall it affect the civil liability of the violator.

The Cabinet shall, based on the proposal by the Minister and in coordination with the Governor, issue the Regulation of Violations and Administrative Penalties for acts committed in violation of the provisions of this Decree by Law and its Executive Regulations, the mechanism for grievance related thereto, and the method for collecting administrative fines.

The Central Bank shall prepare the Executive Regulations hereof in consultation with the relevant state authorities and shall issue it by a resolution of the Cabinet based on the proposal of the Minister. The Executive Regulations shall, at a minimum, include the following:
1. Identifying the nature and description of data providers;
2. The mechanism for supplying the Platform with data, its type, and nature;
3. The rights and obligations of all concerned parties;
4. Specifications and standards for laws used to store, process, protect, and issue all KYC data and reports;
5. The controls under which the client may access the details of KYC report;
6. The controls governing the issuance of KYC reports regarding any debtor of the user; and
7. The mechanism for submitting, examining, and handling complaints related to data.
 

The Board of Directors of the Central Bank, based on the proposal of the company Board and after coordination with the Ministry, shall issue a resolution specifying the financial return that such company receives for providing its services to users.

Employees designated by a Resolution of the Minister of Justice, in agreement with the Governor, shall have the capacity of judicial officers for proving all violations, within their jurisdiction, of the provisions of this Decree by Law, its Executive Regulations, and the resolutions issued in the implementation thereof.

Any provision that violates or contradicts the provisions of this Decree by Law shall be repealed.

This Decree by Law shall be published in the Official Gazette and shall enter into force as of the date of its publication.