ADGM Enforcement Action UAE Compliance DIFC / ADGM February 2026 — Regulatory Analysis

DIFC & ADGM AI Compliance in UAE Financial Services: Lighthouse Financial Services $3.75M Fine and the CBUAE AI Regulatory Framework

The Abu Dhabi Global Market fined Lighthouse Financial Services $3.75 million in 2022 for AML failures that represent exactly the compliance pattern regulators across the UAE are increasingly targeting: automated systems deployed without adequate governance, oversight, or fit-for-purpose calibration for the UAE’s specific financial crime risk environment. For financial services firms operating in the DIFC, ADGM, or the broader UAE market under CBUAE supervision, this case combined with the UAE’s rapidly evolving AI regulatory framework creates compliance obligations that demand immediate attention.

ADGM Enforcement Action: Lighthouse Financial Services

Regulator: Abu Dhabi Global Market Financial Services Regulatory Authority (FSRA)
Fine: $3,750,000
Date: 2022
Violation: AML/CFT compliance failures including inadequate customer due diligence, insufficient transaction monitoring, and AML governance deficiencies
Official source: ADGM FSRA Enforcement Actions — adgm.com/fsra/enforcement

1. The Lighthouse Case: AML Governance Failures in ADGM

The ADGM Financial Services Regulatory Authority’s enforcement action against Lighthouse Financial Services in 2022 established a significant precedent for AML compliance expectations within Abu Dhabi’s international financial centre. Lighthouse, a financial advisory and intermediary firm authorised under the ADGM Financial Services and Markets Regulations (FSMR), was found to have operated an AML program that was structurally deficient across multiple dimensions.

The FSRA’s enforcement findings identified failures that mirror the pattern documented across global neobank and FinTech enforcement actions: customer due diligence procedures that existed on paper but were inadequate in practice; transaction monitoring thresholds that were not calibrated to the specific risk profile of the UAE financial services market; and an AML governance structure that lacked clear senior management accountability.

$3.75M

ADGM FSRA fine against Lighthouse Financial Services, 2022

One of the largest ADGM enforcement fines issued to that point. The FSRA has subsequently increased its enforcement activity, and the ADGM’s AML/CFT supervisory framework has been strengthened in response to FATF pressure on the UAE to address financial crime risk in its international financial centres.

The Lighthouse case is particularly instructive for firms deploying automated compliance tools in the UAE context because the ADGM operates under a distinct regulatory framework from the mainland UAE — one that combines elements of English common law, bespoke ADGM regulations, and FATF-aligned AML/CFT requirements. Automated KYC and AML systems designed for UK, US, or EU markets cannot be deployed in the ADGM without jurisdiction-specific calibration and governance adaptation.

CDD Procedure Failures

Customer due diligence procedures did not meet ADGM AML/CFT Rules 2019 requirements. The FSRA found that CDD was conducted in a manner that was superficially compliant but substantively inadequate for identifying and assessing the AML risk presented by individual client relationships.

Transaction Monitoring Gaps

Transaction monitoring thresholds were not calibrated for the ADGM market context. UAE-specific risk factors — including cash-intensive business models common in the region, trade finance patterns, and real estate investment flows — were not adequately reflected in the monitoring parameters.

AML Governance Deficiencies

Senior management accountability for AML was insufficiently defined. The FSRA requires nominated MLRO accountability under the FSMR — the enforcement action found that this accountability was diffuse and that the MLRO lacked adequate authority to enforce AML controls against business line pressure.

2. DIFC Data Protection Law No. 5 of 2020: AI Data Governance

The Dubai International Financial Centre operates under its own legal framework, separate from both mainland UAE law and the ADGM’s Abu Dhabi framework. For financial services firms operating within the DIFC, the data protection regime applicable to AI systems is established by DIFC Law No. 5 of 2020 (the DIFC Data Protection Law), which came into force on July 1, 2020, replacing the prior Law No. 1 of 2007.

DIFC Law No. 5 of 2020 is closely modelled on the EU General Data Protection Regulation, and like the GDPR it contains provisions directly applicable to AI-driven automated decision-making. Article 15 of the Law establishes rights in connection with automated decision-making, including the right not to be subject to decisions based solely on automated processing — including profiling — that produce legal or similarly significant effects on the individual.

For financial services firms using AI to make credit decisions, account eligibility assessments, or risk classification decisions within the DIFC, this creates a direct compliance obligation: either obtain the data subject’s explicit consent for automated decision-making, demonstrate that the automated decision is necessary for the performance of a contract, or implement the human review requirements under Article 15(3) that ensure the decision has meaningful human oversight.

            DIFC Law No. 5 of 2020 — Article 15 Automated Decision-Making Requirements: Any firm using AI for decisions producing significant effects on individuals must: (a) inform the data subject that the decision is automated; (b) provide meaningful information about the logic involved; (c) offer the data subject the right to obtain human intervention; and (d) provide the data subject with the opportunity to contest the decision. These requirements apply to credit scoring, AML risk classification, and product eligibility AI systems deployed within the DIFC.
        

The DIFC Data Protection Commissioner (DIFC Commissioner of Data Protection) has enforcement authority under Law No. 5 of 2020 and can issue fines of up to USD $100,000 per violation, with the ability to issue multiple fines for related violations. Cumulative exposure for firms operating systematic automated decision-making without compliant governance can be significant.

3. ADGM Financial Services and Markets Regulations: AI Compliance Requirements

The ADGM Financial Services and Markets Regulations (FSMR) establish the primary regulatory framework for financial services activity within the ADGM. The FSRA has supplemented the FSMR with specific guidance on the use of technology in financial services, including the ADGM RegLab framework that enables firms to test innovative financial services products under regulatory supervision.

Under the FSMR, firms using AI in regulated financial services activities must demonstrate that their AI systems meet the same standards of fitness and propriety, governance, and risk management as any other technology system used in regulated activities. The FSRA’s supervisory approach draws on the principle of technology neutrality — the regulatory obligation does not change based on the technology used to deliver the regulated activity.

Three specific FSMR provisions have direct application to AI systems in financial services:

FSMR Rule 3.3 (Fit and Proper): Individuals responsible for overseeing AI systems that support regulated activities must be fit and proper. For ML-based systems making material financial decisions, this creates an obligation to ensure that the named responsible individual has sufficient technical competency to exercise meaningful oversight — not merely nominal accountability.
FSMR Chapter 3 (Systems and Controls): Firms must maintain adequate systems and controls for the conduct of their regulated activities. The FSRA has indicated that for AI-based systems, adequate systems and controls include model validation, performance monitoring, and human oversight mechanisms proportionate to the materiality of the automated decisions.
ADGM AML/CFT Rules 2019 (as amended): These rules establish CDD, transaction monitoring, record-keeping, and suspicious transaction reporting requirements. AI systems used to fulfil any of these obligations must be demonstrably fit for purpose — the Lighthouse case demonstrates that the FSRA will not accept automated system outputs as compliance evidence without examining whether the underlying system was appropriately configured and governed.

4. Central Bank of UAE AI Guidance and Retail Payment Services

For financial services firms operating under Central Bank of UAE (CBUAE) supervision — whether in the mainland UAE, the DIFC, or the ADGM where CBUAE oversight applies to specific payment services — the regulatory framework for AI is evolving rapidly. The CBUAE Retail Payment Services Regulation (issued in January 2023) establishes licensing and operational requirements for payment service providers that have direct implications for AI-powered payment and financial services platforms.

The CBUAE has also issued specific guidance on the use of technology in financial services through its Regulatory Laboratory (RegLab) framework, which allows licensed and prospective firms to test innovative products under supervisory oversight. The CBUAE AI guidance, while not yet consolidated into a single document, is increasingly articulated through RegLab findings, examination guidance, and the CBUAE’s supervisory expectations communicated to regulated entities.

CBUAE Retail Payment Services Reg. (Jan 2023)

Establishes licensing categories (Large, Standard, Micropayment) for payment service providers. AI-powered payment platforms must meet operational resilience, AML/CFT, and data localisation requirements specific to the UAE market.

CBUAE RegLab Framework

Provides supervised testing environment for innovative financial services technology. Firms deploying novel AI applications in UAE financial services can seek regulatory clarity before full market deployment through structured RegLab engagement.

The CBUAE has signalled in recent supervisory communications that AI systems used for credit decisioning, customer onboarding, and transaction monitoring will be subject to increasing supervisory attention. Firms should anticipate requests for model documentation, validation evidence, and governance records as the CBUAE’s AI supervisory capacity develops in line with the UAE’s National AI Strategy 2031.

5. UAE-Specific AML/CFT Risk Context for AI Systems

The UAE was placed on the FATF Grey List in March 2022, reflecting deficiencies in its AML/CFT framework that the FATF identified across multiple risk categories. The UAE was removed from the Grey List in February 2024 after demonstrating significant remediation — but the Grey List period accelerated regulatory reform across all three financial services jurisdictions (mainland UAE, DIFC, and ADGM) and produced a more demanding supervisory environment that persists.

For AI-powered AML systems deployed in the UAE, the FATF Grey List period is highly significant context. AI models trained primarily on European or US AML typologies will systematically underweight risk patterns specific to the UAE market — including the trade-based money laundering typologies that are prevalent in the UAE given its position as a major trade hub, the real estate investment flows that FATF specifically identified as a risk area, and the cash-intensive business models common in parts of the UAE economy.

UAE AML Typology Gap in Generic AI Models: A transaction monitoring model trained on UK or US financial crime data will have limited recall for UAE-specific typologies: gold trading and precious metals transactions used for value storage and transfer; hawala and informal value transfer networks; over- and under-invoiced trade finance; and structured cash transactions in real estate. Generic models deployed without UAE-specific calibration will systematically miss these patterns, creating exactly the kind of false-negative-driven AML failure the FSRA’s Lighthouse enforcement targeted.

6. 12-Item UAE AI Compliance Technical Checklist

UAE Financial Services AI Compliance Checklist (DIFC / ADGM / CBUAE)

Jurisdiction determination: Confirm which regulatory regime applies to your specific operations — DIFC (DFSA oversight), ADGM (FSRA oversight), or mainland UAE (CBUAE oversight). Each jurisdiction has distinct regulatory requirements. A firm with operations across all three must maintain separate compliance frameworks for each, as the regulations are not directly interchangeable.

DIFC Law No. 5 of 2020 automated decision-making assessment: For DIFC-based operations, conduct an Article 15 assessment for each AI system making decisions with significant effects on individuals. Document whether you are relying on consent, contractual necessity, or another lawful basis. Implement the required information provision, human intervention, and contestation mechanisms.

ADGM AML/CFT Rules 2019 system calibration: Verify that AML transaction monitoring systems have been calibrated for UAE-specific risk typologies, not merely adapted from UK or US configurations. Document the calibration methodology and evidence that UAE-specific typologies — trade finance, real estate, precious metals — are adequately captured in alert generation logic.

MLRO technical competency assessment: The ADGM FSMR and DFSA requirements for a nominated MLRO include the expectation of adequate technical competency to oversee automated AML systems. Verify that the designated MLRO has sufficient understanding of the AI systems within their oversight remit to discharge their responsibilities meaningfully, not nominally.

Data localisation compliance: CBUAE regulations and emerging UAE data governance requirements impose specific obligations on where financial data is processed and stored. For cloud-based AI systems, verify that processing locations comply with applicable UAE data localisation requirements — particularly for customer data used in AI training or inference.

UAE National AI Strategy alignment: The UAE National AI Strategy 2031 creates a regulatory environment that is broadly supportive of AI deployment but expects firms to demonstrate responsible AI governance. Document alignment with UAE AI Ethics Guidelines published by the UAE AI Office, particularly requirements for transparency, accountability, and human oversight of high-stakes AI decisions.

FATF-aligned beneficial ownership verification: Following UAE Grey List remediation, beneficial ownership verification has become a heightened supervisory priority. Verify that AI onboarding systems capture and verify beneficial ownership information to the standard now required by all three UAE regulatory jurisdictions, including automated screening of beneficial owners against UAE-specific and international sanctions lists.

Enhanced due diligence for UAE high-risk sectors: FATF and FSRA guidance identifies specific UAE sectors as elevated AML risk: real estate, gold and precious metals trading, free zone entities, and virtual asset service providers. Verify that AI CDD systems apply enhanced due diligence protocols for customers in these sectors, not standard CDD with a risk flag attached.

CBUAE Retail Payment Services Regulation compliance: For payment service providers under CBUAE supervision, verify AI systems against the January 2023 Regulation’s requirements for transaction monitoring, AML controls, and operational resilience. Document licensing category compliance and ensure AI systems meet the specific technical standards applicable to your licence category.

RegLab consideration for novel AI applications: For AI applications in UAE financial services that are genuinely novel or where regulatory requirements are ambiguous, assess whether CBUAE RegLab or ADGM RegLab participation is appropriate. The regulatory sandbox frameworks in both ADGM and the mainland UAE provide mechanisms for supervised innovation testing that reduce retrospective enforcement risk.

Suspicious Transaction Report (STR) workflow compliance: UAE financial institutions are required to file STRs with the UAE Financial Intelligence Unit (FIU) — an obligation that applies in the DIFC, ADGM, and mainland UAE. Verify that AI transaction monitoring systems generate alerts that feed into an STR workflow with adequate human review, and that STR filing timelines meet UAE regulatory requirements (24 hours for terrorist financing suspicion; no later than 30 days for other AML suspicion).

Cross-border data transfer governance: For AI systems that process UAE customer data in data centres outside the UAE, verify compliance with applicable cross-border data transfer requirements. DIFC Law No. 5 of 2020 imposes restrictions on transfers to non-adequate jurisdictions that parallel GDPR Chapter V transfer requirements. Document transfer mechanisms (adequacy, standard contractual clauses, or binding corporate rules) for each cross-border processing relationship.

7. How Claire Supports UAE Financial Services AI Compliance

Claire’s UAE AI Compliance Architecture

Multi-Jurisdiction Compliance Framework (DIFC / ADGM / CBUAE)

Claire maintains separate compliance parameter sets for DIFC, ADGM, and CBUAE-regulated operations, recognising that these three frameworks have distinct requirements that cannot be satisfied by a single unified approach. Regulatory updates to any of the three frameworks are tracked and reflected in jurisdiction-specific compliance documentation, with alerts to designated compliance officers when material regulatory changes require system adaptation.

UAE-Specific AML Typology Library

Claire’s AML screening architecture incorporates UAE-specific risk typologies identified by the FSRA, DFSA, and FATF UAE mutual evaluation reports — including trade finance anomaly detection, real estate transaction monitoring, precious metals trading risk signals, and hawala-adjacent payment patterns. These typologies are maintained as a distinct calibration layer above the base transaction monitoring model, enabling jurisdictional accuracy without requiring complete model retraining for UAE deployments.

DIFC Article 15 Automated Decision Documentation

For DIFC-based operations, Claire automatically generates the Article 15-compliant documentation required when AI systems make decisions with significant effects on individuals. This includes the plain-language explanation of decision logic, the documentation of human intervention pathways, and the contestation mechanism records required by the DIFC Data Protection Law. Documentation is generated at the point of each automated decision and maintained in an auditable record accessible to the DIFC Commissioner of Data Protection on request.

FATF-Aligned Beneficial Ownership AI Verification

Claire’s onboarding architecture incorporates the enhanced beneficial ownership verification standards now required following UAE Grey List remediation. Corporate structures are traced to ultimate beneficial owners using graph-based relationship mapping, with automated screening of identified UBOs against UAE FIU, OFAC, UN Security Council, and ADGM/DFSA sanctions lists. The system generates a structured beneficial ownership verification report formatted for ADGM and DFSA examination purposes.

8. The UAE Regulatory Environment for AI: Where It Is Heading

The UAE’s removal from the FATF Grey List in February 2024 does not signal a relaxation of AML/CFT regulatory expectations. The opposite is true: having achieved Grey List exit through demonstrable regulatory reform, the UAE’s regulators — FSRA, DFSA, and CBUAE — are invested in maintaining and strengthening the standards that secured that outcome. The Lighthouse enforcement action, issued during the Grey List period, represents the beginning of an enforcement posture that will become more rigorous as the UAE financial centres compete for international business on the basis of regulatory credibility.

For financial services firms deploying AI in UAE markets, the strategic imperative is proactive compliance architecture rather than reactive remediation. The Lighthouse case, like the Starling and Bunq cases in the UK and EU, demonstrates that automated systems deployed without UAE-specific governance will eventually attract regulatory attention. The question is whether that attention comes in the form of supervisory guidance — which is recoverable — or enforcement action, which is not.

Deploying AI-powered financial services in the DIFC, ADGM, or CBUAE-regulated market? Claire’s UAE compliance team works with financial institutions to design governance frameworks that meet ADGM FSMR, DIFC Law No. 5 of 2020, and CBUAE requirements for AI-powered financial services. Talk to Claire about UAE AI compliance.