Buyer’s checklist · UAE
Due diligence in 2025 needs more than a company search
If you are about to invest, acquire, onboard a vendor, or open a bank relationship in the UAE, the old playbook of financial statements, a trade licence copy, and a passport scan will not protect you. Deepfake identities, shell layers across three jurisdictions, and sanctions lists that update weekly have raised the bar. This is what to verify before you commit.
Due diligence used to be a document exercise. You collected audited accounts, a certificate of incorporation, a couple of reference letters, and a signed declaration. If the numbers ticked, the deal moved. That model was built for a world where most counterparties were visible, ownership was linear, and fraud looked like an obviously forged invoice. None of that is true anymore, especially in a hub like the UAE where capital, people, and structures move across dozens of borders every week.
The pressure now comes from three directions at once: attackers using generative AI to fabricate identities and documents, a sanctions environment that reprices risk overnight, and ownership chains that deliberately spread across free zones, offshore vehicles, and nominee arrangements. A buyer who still treats due diligence as a one-time checklist is quietly absorbing risks the seller has already priced in.
Verify before you sign
The eight-item buyer’s checklist
Work through each item independently. A green tick on one does not compensate for a gap on another.
- Confirm the human on the other side is real. Live video verification with liveness detection, cross-checked against an official ID and, where possible, a UAE Pass or equivalent. Static selfies and PDF passports can now be generated in minutes.
- Trace ultimate beneficial ownership past the first layer. Do not stop at the holding company. Map every entity in the chain, the jurisdiction each sits in, and the natural person at the end. Note nominees and powers of attorney separately.
- Screen against live sanctions and PEP lists. Cover OFAC, EU, UK OFSI, UN, and the UAE Local Terrorist List, plus regional watchlists. A screen done six months ago is already stale.
- Run adverse-media checks in multiple languages. Arabic, English, Russian, Mandarin, and the language of any linked jurisdiction. Fraud stories often surface first in the local press, not in global databases.
- Test the source of funds and source of wealth separately. How the money for this specific transaction was raised is a different question from how the counterparty became wealthy in the first place.
- Assess ESG and geopolitical exposure. Supply chain links to sanctioned regions, environmental fines, labour disputes, and reliance on politically fragile corridors. These translate directly into future compliance costs.
- Investigate third parties, agents, and vendors. Bribery and sanctions breaches usually enter through an intermediary. Every material third party gets its own file.
- Set up continuous monitoring, not a one-off check. Trigger alerts on ownership changes, new litigation, sanctions updates, and negative news. Deals go bad between the closing date and the first anniversary, not on day one.

AI-assisted fraud and deepfake identities
The single biggest change in the last two years is the collapse in the cost of faking a person. A convincing video call, a signed board resolution, and a matching set of utility bills can be produced in an afternoon by someone with modest technical skill. In early 2024, a Hong Kong finance employee was tricked into transferring around 25 million US dollars after joining a video call where every other participant, including the CFO, was a deepfake, as reported by Reuters. The same techniques are already being used against onboarding teams in the Gulf.
Practical defences are not exotic. Use liveness checks that require unpredictable movement, not a smile. Cross-reference the ID against government sources rather than trusting an uploaded scan. On high-value deals, meet in person at least once, and be honest with yourself about which meetings you have skipped because a video call was convenient. Document forgery detection has improved, but so has document generation, and the arms race is not slowing down.
Modern risk management platforms now bundle biometric checks, document authentication, and database screening into a single workflow, which is what most compliance teams in the UAE are moving toward. The tooling matters, but so does the policy behind it: a clear rule that no payment above a set threshold moves on the basis of a video call alone.
“If your onboarding process can be beaten by a good laptop and a quiet room, it is not really onboarding. It is theatre.”
Layered ownership, shell companies, and cross-border chains
The second hard problem is structure. In the UAE, it is normal and legal for a real business to sit under a mainland LLC, owned by a free-zone holding company, owned in turn by an offshore vehicle in the BVI or Cayman, with a trust somewhere in the mix. Most of these chains are legitimate tax and estate planning. Some are designed to hide who is actually calling the shots.
Regulators know this, which is why the UAE tightened its beneficial ownership regime and was subsequently removed from the FATF grey list in early 2024, a decision covered in detail by the Financial Action Task Force. The obligation to identify the natural person behind a corporate customer is now firmly on the buyer, not just on the registry.

Reference table: which checks fit which deal
Not every transaction needs the full battery. Use this as a rough calibration, then adjust for jurisdiction and sector risk.
| Scenario | Minimum checks | Typical timeline | Continuous monitoring? |
|---|---|---|---|
| Low-value vendor onboarding | ID, licence, sanctions, PEP, basic UBO | 1 to 3 days | Quarterly re-screen |
| New corporate banking client | Full UBO map, source of wealth, adverse media, EDD on high-risk jurisdictions | 1 to 3 weeks | Continuous, event-driven |
| Private equity or M&A target | Everything above plus ESG, litigation, tax, cyber, and key-person checks | 4 to 12 weeks | Continuous through hold period |
| Cross-border joint venture | Full stack plus geopolitical and sanctions scenario analysis | 6 to 16 weeks | Continuous plus quarterly review |
| Real estate purchase by a foreign entity | UBO, source of funds, sanctions, PEP, and jurisdiction risk | 2 to 6 weeks | Annual refresh |
What good looks like
Signals that your process has matured
- You can name the ultimate beneficial owner of every material counterparty from memory, or find them in under a minute.
- Your sanctions screening runs daily, not at onboarding only, and alerts route to a named owner.
- Adverse-media searches include Arabic and the counterparty’s home language.
- Third-party agents have their own risk files, not a folder inside the parent client.
- ESG and geopolitical exposure appear in the investment memo, not just in a separate sustainability report.
- There is a written rule for when a video call is not enough and an in-person meeting is required.
- Findings from continuous monitoring feed back into pricing, covenants, or exit decisions.
Where due diligence is heading next
Three shifts are already visible in the UAE market. First, regulators expect risk-based, continuous processes rather than annual reviews. The Central Bank of the UAE and the DFSA both now assess firms on how quickly they detect and respond to change, not just on whether files exist. Second, ESG and geopolitical factors are being folded into standard financial due diligence rather than sitting in a separate report that nobody reads at signing. Third, the tooling is consolidating: identity verification, UBO mapping, sanctions screening, and adverse media are collapsing into single platforms so that findings can be correlated instead of siloed.
The buyers who will do best over the next few years are not the ones with the thickest binders. They are the ones who treat due diligence as a living picture of the counterparty, updated whenever something changes, and connected directly to the commercial decisions that follow. Everything else is paperwork.
Frequently asked questions
What is the difference between traditional and modern due diligence?
Traditional due diligence focused on documents collected at a single point in time: financial statements, licences, references, and an ID copy. Modern due diligence adds live identity verification, beneficial ownership mapping across jurisdictions, sanctions and PEP screening against constantly updated lists, adverse-media checks in multiple languages, and continuous monitoring after onboarding.
The shift is from a one-off gate to an ongoing view of the counterparty.
How do I detect a deepfake during a video onboarding call in the UAE?
Use identity verification tools with liveness detection that require unpredictable actions, such as turning the head at a specific angle or reading a random phrase. Cross-check the ID against official sources rather than trusting the uploaded image, and compare the voice and face against any prior recordings you hold.
For high-value transactions, add an in-person meeting or a call-back to a verified phone number registered with the counterparty’s regulator or bank.
Do I need to identify the ultimate beneficial owner for every UAE counterparty?
In practice, yes, for any counterparty that is material to your business. Under the UAE’s beneficial ownership regulations, companies are required to maintain UBO registers, and regulated entities such as banks, DNFBPs, and virtual asset service providers must identify the natural person who ultimately owns or controls a customer.
Even if you are not regulated, verifying UBOs protects you from sanctions exposure, fraud, and reputational damage. Stop only when you reach a natural person, not at the first holding company.
How often should sanctions screening be repeated?
Sanctions and watchlists change frequently, sometimes daily. Best practice is to screen at onboarding and then automatically re-screen against updated lists at least once a day for active counterparties. Any positive or possible match should trigger a documented review before payments continue.
Point-in-time screening at onboarding alone is no longer considered adequate by most Gulf regulators.
What is continuous due diligence and why does it matter?
Continuous due diligence means monitoring counterparties for change after onboarding: new ownership, litigation, adverse news, sanctions listings, regulatory action, or shifts in country risk. Alerts are routed to a compliance owner who decides whether to escalate, re-price, or exit the relationship.
It matters because most deals turn bad between the closing date and the first anniversary, not on day one. A file that is only refreshed at renewal misses that window.
How do ESG and geopolitical risks fit into due diligence today?
ESG and geopolitical factors are no longer optional add-ons. Environmental fines, labour disputes, supply-chain links to sanctioned regions, and dependence on politically fragile corridors all translate into future financial and compliance costs.
Include them in the same file as financial and legal checks so that decision-makers see a single risk picture, not three separate reports that never get read together.
How long should a full due diligence exercise take in the UAE?
Timelines vary with deal size and complexity. Simple vendor onboarding can be completed in one to three days. A new corporate banking relationship typically takes one to three weeks. Private equity, M&A, and cross-border joint ventures usually run from four to sixteen weeks, depending on how many jurisdictions are involved and how cooperative the target is.
Rushing the timeline is the most common cause of missed red flags.
Can technology fully replace human due diligence analysts?
No. Technology handles volume, matching, and monitoring far better than humans, and it should. But interpretation, judgement on complex ownership structures, and the decision on whether a red flag is a deal-breaker still require experienced analysts.
The best setup pairs automated screening and continuous monitoring with a small team of analysts who investigate the cases the machine flags.