When Wars Are Fought with Money

Wartime Financial Crime, Cross-Jurisdiction Compliance Obligations and What Regulated Entities Must Do Now

Key Takeaways

Active conflicts accelerate six distinct wartime financial crime typologies — all of which are now visible in GCC, European and APAC risk registers.
The UAE’s new AML framework (Federal Decree-Law No. 10 of 2025 and Cabinet Resolution No. 134 of 2025) is the most comprehensive overhaul in the country’s regulatory history. Regulated entities have no grace period.
The CBUAE levied over AED 380 million in fines in the first half of 2025 alone. Personal accountability for MLROs and CCOs is now actively enforced.
Compliance programmes built for a stable risk baseline are structurally insufficient. Real-time monitoring, continuous CDD re-assessment, and cross-jurisdiction regulatory intelligence are the new baseline.
Entities operating across the UAE, EU and Asia-Pacific simultaneously need a platform built for that complexity — not three separate tools stitched together.

The geopolitical landscape has changed more in the past four weeks than in the previous four years.

Active conflict in the region has triggered the most significant energy supply disruption in modern history, prompted capital to move at a pace not seen since the 2008 financial crisis, and introduced a level of uncertainty into Gulf financial markets that even the most experienced risk managers in DIFC and ADGM describe as unprecedented. Brent crude has crossed USD 100. War-risk insurance premiums have surged fivefold. The Strait of Hormuz — through which approximately 20% of global oil flows daily — is effectively closed to commercial shipping.

And yet, sitting here as both Haydr’s founder and its designated MLRO, the most striking thing is not the geopolitical conflict itself. It is the speed at which illicit financial flows have moved to exploit it.

The financial crime typologies that emerge during active conflict are not theoretical constructs from a compliance training manual. They are happening now. In this region. Flowing through the same financial corridors — VASPs, fund administrators, precious metals dealers, real estate brokerages, gaming operators — that Haydr was purpose-built to protect.

The same crisis that creates operational risk for businesses in the Gulf is simultaneously creating the most urgent demand environment for compliance infrastructure in a generation.

This piece covers the six wartime financial crime typologies now entering compliance risk registers across the GCC, Europe, and Asia-Pacific; what the new UAE regulatory architecture means operationally for every regulated entity; why this is no longer a UAE-specific issue; and what genuine cross-jurisdiction compliance resilience actually looks like in practice.

If you are a compliance officer, MLRO, CCO, or board member at a regulated entity — whether your business is domiciled in Dubai, Riyadh, Singapore, Amsterdam, or Tallinn — I think the next 15 minutes will be worth your time.

The Financial Anatomy of Conflict

Wars do not only destroy physical infrastructure. They destroy the information infrastructure that compliance depends on.

Customer due diligence files become stale overnight. Beneficial ownership chains that were accurate in January are unrecognisable by March as corporate structures are rapidly reorganised. Sanctioned individuals who were previously inaccessible to the international financial system find that conflict creates new access points — new jurisdictions, new intermediaries, new transaction methods — that compliance programmes calibrated to a peacetime baseline were not designed to detect.

The pattern is consistent across every major conflict of the past three decades. The Gulf War of 1990–91 triggered a surge in informal value transfer through hawala networks. The Iraq War generated extensive trade-based money laundering through overbilling on reconstruction contracts. The Ukraine conflict, beginning in 2022 and escalating in subsequent years, produced the most sophisticated sanctions evasion architecture seen in modern financial crime history.

The Middle East conflict that erupted in February 2026 is generating the same phenomenon — accelerated, amplified, and complicated by three factors that did not exist in previous conflicts: the maturation of the virtual asset ecosystem, the expansion of the UAE and GCC financial centres as genuinely global hubs, and the most complex multi-jurisdictional sanctions regime in history.

The UAE sits at the intersection of all of it. As one of the world’s most open cross-border financial corridors — with DIFC managing assets under management exceeding USD 700 billion in 2025 and ADGM reporting a 42% rise in AUM in H1 2025 alone — the Gulf’s financial architecture is simultaneously its greatest competitive advantage and its greatest compliance challenge.

Regulated entities that were comfortable delaying compliance automation decisions in 2025 are now operating in a risk environment that has compressed a three-year compliance maturation timeline into twelve months.

The Six Wartime Typologies Now in Your Risk Register

In June 2025, the Financial Action Task Force published its most comprehensive analysis of proliferation financing and sanctions evasion typologies to date, drawing on 40 case studies covering Iran, DPRK, and Russia. The report was stark: only 16% of countries assessed had demonstrated high or substantial effectiveness in countering the financing of weapons proliferation.

That report was published before the February 2026 conflict escalation. The typologies it documented are now operating at significantly higher velocity.

The six wartime financial crime typologies – each now active in GCC, European, and APAC risk registers.

Sanctions evasion via layered corporate structures

Front companies, shell companies, and complex opaque ownership structures are the primary mechanism by which sanctioned entities access the international financial system during conflict. The FATF has documented how DPRK frequently uses multi-layered corporate arrangements to violate UN Security Council sanctions. UAE-domiciled entities, given their geographic position and ease of company formation in free zones, represent a known transit risk.

Capital flight structuring

High-net-worth individuals and institutional capital moving rapidly across borders generate significant AML risk. The primary vehicles are real estate, precious metals and stones, and structured deposits designed to stay below STR reporting thresholds. The Ministry of Economy issued over AED 42 million in fines against precious metals and real estate brokerages in H1 2025 alone.

Trade-based money laundering (TBML)

Over- and under-invoicing of goods, falsified trade documentation, and dual-use goods procurement are among the most difficult typologies to detect. During active conflict, TBML is amplified simultaneously: reconstruction procurement creates inflated invoicing opportunities, while supply chain disruption creates documentation gaps that launderers exploit.

Virtual asset exploitation

The theft of USD 1.5 billion from ByBit in February 2025 — attributed to DPRK state actors — was the most visible data point in a sustained campaign to exploit the virtual asset ecosystem as a parallel financial system. Crypto mixing, tumbling, chain-hopping, and privacy coins are used systematically to obscure the origin of funds.

Proliferation financing

Conflict-related informal value transfer

The GCC's legitimate hawala infrastructure serving millions of workers carries elevated risk during conflict: it becomes a mechanism for capital flight and a potential channel for sanctions evasion. The CBUAE has issued specific AML guidance for registered hawala providers.

Why the GCC - Not Just the UAE - Is the Focus

GCC regulatory landscape: four nations, multiple supervisory authorities, one interconnected compliance challenge.

It would be a mistake to read the compliance pressure as exclusively a UAE phenomenon. The risk environment has deteriorated across the entire GCC corridor.

Saudi Arabia, under SAMA’s regulatory framework, has been tightening AML supervision significantly as part of Vision 2030’s credibility infrastructure. Bahrain, as a key correspondent banking hub, faces specific exposure from conflict-related capital flows. Qatar’s LNG financing flows — significantly disrupted by the conflict — create new CDD obligations.

The common thread is the upcoming FATF mutual evaluation of the UAE, anticipated in mid-2026.

The question the FATF examiner will ask is not ‘do your rules say the right things?’ It is ‘can you demonstrate that they actually work?’ That is a fundamentally different – and more demanding – standard.

What UAE, EU and APAC Regulators Are Actually Doing

Cross-jurisdiction regulatory convergence: UAE, EU and Singapore timelines running in parallel.

The UAE: A Generational Overhaul

Federal Decree-Law No. 10 of 2025 represents the most comprehensive overhaul of UAE AML law in history:

Proliferation financing is now a standalone criminal offence. Penalties: AED 1M to AED 10M.
The evidentiary threshold has been lowered: knowledge can now be inferred from objective circumstances.
Tax evasion is now explicitly a predicate offence for money laundering.
VASPs are fully aligned with conventional financial institutions in AML/CFT/CPF obligations.
Cabinet Resolution No. 134 extended the DNFBP perimeter to include commercial gaming operators.

In H1 2025, the CBUAE levied over AED 380 million in fines across 31 institutions. A single exchange house received a landmark AED 200 million penalty. Its branch manager was permanently banned.

The AED 200 million single-entity penalty, combined with the permanent personal ban on the branch manager, established a template that every MLRO and CCO in the GCC should take seriously: the individual in the compliance chair is personally accountable.

The EU: MiCA, AMLD6 and DORA

European regulated entities are navigating a simultaneous convergence of three major regulatory frameworks: MiCA brings VASPs under full AML/CFT scope across all 27 EU member states. AMLD6 expands predicate offences and introduces criminal liability for legal persons. DORA imposes operational resilience obligations.

Singapore and APAC: MAS Sets the Regional Standard

MAS has been the most sophisticated RegTech-enabling regulator in APAC. Its PSA expansion, combined with MAS TRM guidelines and FATF-aligned Travel Rule obligations, creates a compliance architecture closely mirroring the UAE’s ambitions. MAS committed S$150 million under FSTI 3.0 for AI, analytics, RegTech and cybersecurity.

What Cross-Jurisdiction Compliance Resilience Actually Looks Like

The gap between formal compliance and genuine resilience is where most regulated entities currently sit. Formal compliance means your policies say the right things. Genuine resilience means your controls actually work in practice and your evidence trail demonstrates it.

Haydr’s three modules mapped against three jurisdictions – one platform for cross-border compliance.

Continuous Customer Risk Assessment

Customer risk does not change on your review schedule. It changes when the world changes. When a beneficial ownership chain passes through a jurisdiction now under targeted financial sanctions, your system needs to know immediately.

Real-time Transaction Monitoring

Batch transaction monitoring — alerts generated overnight and reviewed the following morning — is a peacetime solution. In an environment where sanctions designations are updated multiple times per week, batch monitoring is not adequate.

Multi-jurisdiction Regulatory Intelligence

The single most time-consuming element of compliance in a multi-jurisdiction environment is regulatory intelligence: tracking what has changed, understanding what it means, and updating your controls accordingly.

The entities that will navigate the next twelve months most effectively are not those with the largest compliance teams. They are those with the best infrastructure.

Resilience is Also a Competitive Advantage

The entities that build genuinely resilient compliance programmes now will not just avoid fines. They will attract better counterparties, face fewer correspondent banking restrictions, win the trust of regulators and institutional clients, and close deals faster.

The UAE’s extraordinary growth as a global financial hub was not built despite its regulatory infrastructure. It was built in large part because of it.

The question is not whether the risk environment will deteriorate further. It will. The question is whether your compliance infrastructure was built to absorb that deterioration and continue operating with integrity.

If you are building or rebuilding your compliance infrastructure for the environment described in this article, I would genuinely welcome a conversation. Not a sales call — a compliance conversation.

Sources & References

Federal Decree-Law No. 10 of 2025 — UAE Legislation Portal

Cabinet Resolution No. 134 of 2025 — effective 14 December 2025

Al Tamimi & Company: ‘The UAE’s AML Framework’ — March 2026

Norton Rose Fulbright: ‘The UAE’s New AML Regime’ — 2025/2026

Herbert Smith Freehills Kramer: ‘UAE Introduces Landmark New AML and CFT Law’ — January 2026

A&O Shearman: ‘UAE Tightens Monitoring of High-Risk Industries’ — December 2025

ADEPTS: ‘UAE’s Stringent AML Enforcement: Over AED 380M Fines in H1 2025’ — August 2025

FATF: ‘Complex Proliferation Financing and Sanctions Evasion Schemes’ — June 2025

FATF: ‘High-Risk Jurisdictions Subject to a Call for Action’ — February 2026

US Treasury: Endorsement of New International Payments Standards — June 2025

MCO: ‘UAE Compliance Crackdown’ — 2025

Ashurst: ‘Corporate Crime & Investigations: Global Trends for 2026’

Disclaimer

This article is published by Haydr Technologies Limited for informational and thought leadership purposes only. It does not constitute legal, regulatory, or compliance advice. Regulatory information reflects the author’s understanding as of March 2026 and is subject to change. © 2026 Haydr Technologies Limited.