AML Compliance for DMCC Companies: The 2026 Guide - adilzone | Corporate Consulting Services

AML compliance for DMCC companies is a mandatory legal obligation under Federal Decree-Law No. 10 of 2025 — the UAE’s core anti-money laundering statute. Every DMCC-registered business that qualifies as a designated non-financial business or profession (DNFBP) must maintain documented AML/CFT controls, appoint a compliance officer, and register on the goAML reporting portal. This guide covers who must comply, what the obligations are, what penalties apply, and how to build a compliant programme from day one.

Quick Answer

DMCC companies engaged in trading precious metals, gemstones, or commodities — or providing corporate, accounting, or legal services — must comply with UAE federal AML law. Obligations include appointing a Money Laundering Reporting Officer (MLRO), conducting Customer Due Diligence (CDD) on all clients, monitoring transactions for suspicious activity, filing Suspicious Transaction Reports (STRs) on goAML, and undergoing an independent AML/CFT audit. Failure to comply carries administrative fines from AED 50,000 to AED 100 million, with potential criminal liability for responsible individuals.

Key Takeaways

Federal law applies to all UAE entities — Federal Decree-Law No. 10 of 2025 covers DMCC companies the same way it covers mainland and other free zone entities.
DNFBP classification determines scope — DMCC companies trading in gold, precious metals or stones, or providing accounting and corporate services are classified as DNFBPs with full AML obligations.
goAML registration is not optional — All qualifying entities must register on the UAE FIU’s goAML portal and maintain that registration throughout the business lifecycle.
An MLRO must be appointed — Every DNFBP must designate a qualified compliance officer responsible for the AML/CFT programme.
DPMS cash transactions above AED 55,000 require reporting — Dealers in precious metals and stones must submit a DPMS Report for each qualifying transaction within 15 working days.
Penalties are severe — Administrative fines range from AED 50,000 for goAML non-registration to AED 100 million for serious violations; individuals face imprisonment.
Independent audits are required — DNFBPs must commission periodic independent AML/CFT audits to verify the effectiveness of their controls.

Does UAE AML Law Apply to DMCC Companies?

A common misconception is that free zone companies operate under a separate legal regime and are therefore exempt from UAE federal law. This is incorrect. Federal Decree-Law No. 10 of 2025 on Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organisations — which replaced Federal Decree-Law No. 20 of 2018 — applies to all legal entities incorporated or operating in the UAE, including those registered in DMCC.

How DMCC Oversight Works

DMCC operates as an independent free zone authority with its own registration, licensing, and governance rules. For AML/CFT compliance purposes, however, DMCC companies are supervised by federal regulators. The Ministry of Economy (MOE) is the primary AML supervisor for most DNFBP categories operating in UAE free zones that are not financial free zones. DMCC companies with financial services licences — such as payment service providers — may fall under the Central Bank of the UAE (CBUAE) instead. For companies engaged in virtual assets or crypto trading, the Virtual Assets Regulatory Authority (VARA) is the relevant supervisor.

Which DMCC Companies Are DNFBPs?

The following DMCC licence categories fall within the DNFBP definition under UAE AML law and carry full compliance obligations:

Business Type	DNFBP Category	Key Supervisor
Gold and precious metals traders	Dealers in Precious Metals and Stones (DPMS)	Ministry of Economy
Diamond and gemstone traders	Dealers in Precious Metals and Stones (DPMS)	Ministry of Economy
Accounting and audit firms	Accountants and Auditors	Ministry of Economy
Company service providers (CSPs)	Corporate Service Providers	Ministry of Economy
Law firms and legal consultants	Legal Professionals	Ministry of Justice / MOE
Real estate brokers	Real Estate Agents and Brokers	Dubai Land Department / MOE
Virtual asset service providers	VASPs	VARA

If your DMCC licence falls into one of these categories, you are legally required to maintain a full AML/CFT programme. If you are uncertain about your classification, a compliance gap analysis can clarify your obligations before a regulator does.

Not sure if your DMCC licence triggers AML obligations? Adil Zone’s compliance advisory team conducts gap analyses for free zone entities across all 11 UAE free zones where ADZ operates as an approved channel partner. Request a free consultation.

Core AML Obligations for DMCC DNFBPs

Cabinet Decision No. 134 of 2025 — the implementing regulation for Federal Decree-Law No. 10 of 2025 — sets out the detailed obligations for all regulated entities. The following requirements are non-negotiable for DMCC companies classified as DNFBPs.

1. Appoint a Money Laundering Reporting Officer

Every DNFBP must designate a senior individual as the MLRO — also referred to as the Compliance Officer. This person is responsible for receiving internal suspicious activity reports, making the determination to file STRs with the UAE Financial Intelligence Unit (FIU), overseeing the AML/CFT programme, and acting as the primary point of contact for regulators during inspections. The MLRO must have sufficient seniority, resources, and independence within the organisation. For smaller DMCC entities, the MLRO function can be outsourced to a qualified compliance services provider.

2. Implement a Written AML/CFT Policy

A written AML/CFT policy is the foundation of any compliant programme. It must be approved by senior management, be proportionate to the size and risk profile of the business, and be reviewed and updated at least annually. The policy must address the organisation’s risk appetite, procedures for customer onboarding, transaction monitoring, record keeping, staff training, and escalation procedures for suspicious activity.

3. Conduct a Business-Wide Risk Assessment

Before implementing specific controls, DMCC companies must conduct a formal risk assessment covering the following risk categories:

Customer risk — the risk profile of clients you onboard, including nationalities, PEP status, and source of funds
Product and service risk — the ML/TF risk inherent in gold trading, gemstone dealing, or corporate services provision
Geographic risk — the jurisdictions your customers and counterparties originate from, including any high-risk countries identified by the Financial Action Task Force (FATF)
Delivery channel risk — whether transactions occur in person or through intermediaries and third parties

This risk assessment must be documented and updated whenever there are material changes to the business. It forms the basis for applying a proportionate, risk-based approach to all compliance controls.

4. Customer Due Diligence and Know Your Customer

CDD must be conducted on all clients before a business relationship is established and on an ongoing basis throughout the relationship. For DMCC companies, CDD involves verifying the identity of the customer and the beneficial owner (UBO), understanding the nature and purpose of the business relationship, and applying Enhanced Due Diligence (EDD) for high-risk clients — including Politically Exposed Persons (PEPs), clients from high-risk jurisdictions, or those with complex ownership structures. Our complete guide to CDD in the UAE covers the full procedural requirements in detail.

5. Transaction Monitoring

All relevant transactions must be monitored for signs of suspicious activity. For DMCC gold and precious metal traders, this includes watching for patterns such as unusual payment methods, transactions structured just below reporting thresholds, purchases inconsistent with a client’s stated business activity, and payments involving third parties with no clear commercial rationale. Transaction monitoring can be conducted manually for low-volume businesses, but automated systems are strongly recommended for higher-volume traders.

6. Sanctions Screening

Every customer and beneficial owner must be screened against applicable sanctions lists before onboarding and on a continuous basis throughout the relationship. The UAE maintains its own Local Terrorist List, which must be screened alongside international lists published by the UN Security Council (UNSC), the Office of Foreign Assets Control (OFAC), the European Union, and UK-HMT. DMCC companies in the gold and commodities sector face heightened exposure to sanctions risk given the global nature of their supply chains.

7. Record Keeping

All CDD records, transaction records, and correspondence relating to suspicious activity must be retained for a minimum of five years from the end of the business relationship. DMCC companies audited by the MOE or FIU will be required to produce these records on demand. Failure to maintain records is a criminal offence under UAE AML law.

Automate your CDD, sanctions screening, and transaction monitoring. First Compliance screens against 1,800+ sanctions lists and 5.5 million PEP records, with full goAML reporting integration. Built originally for compliance operations across 15+ countries. Learn about First Compliance.

goAML Registration for DMCC Companies

The goAML portal — operated by the UAE Financial Intelligence Unit (FIU) — is the mandatory reporting system for all STRs, Suspicious Activity Reports (SARs), and DPMS Reports. Registration must be maintained and updated whenever there are changes to the MLRO’s details or the entity’s registration status. For step-by-step guidance on registration, see our goAML Portal Registration Guide 2026.

Who Must Register on goAML

Every DMCC company classified as a DNFBP must register on goAML. This includes:

All Dealers in Precious Metals and Stones (DPMS) — gold and diamond traders in DMCC
Accounting and audit firms
Company service providers and CSPs
Legal professionals providing AML-relevant services
Real estate agents and brokers
VASPs registered with VARA

DPMS Cash Transaction Reporting

DMCC gold and precious metal traders face an additional reporting obligation that sets them apart from other DNFBPs. Under Cabinet Decision No. 134 of 2025, any cash transaction — or series of linked cash transactions — of AED 55,000 or more must be reported to the FIU through goAML within 15 working days of the transaction. This is known as a DPMS Report and applies even when the transaction is not considered suspicious. Automated DPMS reporting solutions can significantly reduce the administrative burden for high-volume traders.

AML Obligations in DMCC vs. Other UAE Jurisdictions

DMCC companies are sometimes compared to entities in DIFC and ADGM, which have their own independent financial regulators. The key differences are:

Jurisdiction	AML Supervisor	Applicable Law	DNFBP Oversight
DMCC	MOE (for DNFBPs) / CBUAE (for LFIs)	Federal Decree-Law No. 10 of 2025	Ministry of Economy
DIFC	DFSA (for all DIFC entities)	DIFC AML Module	DFSA
ADGM	FSRA (for all ADGM entities)	FSRA AML Rulebook	FSRA
Mainland UAE	CBUAE / MOE / SCA depending on activity	Federal Decree-Law No. 10 of 2025	Ministry of Economy

For DMCC companies, the MOE is the frontline regulator for AML inspections and can impose administrative penalties directly. For a detailed comparison of these jurisdictions, read our guide on AML Requirements: Mainland vs DIFC vs ADGM.

Independent AML/CFT Audits for DMCC Entities

An independent AML/CFT audit is a mandatory requirement for DNFBPs under UAE law. The audit must be conducted by a qualified third party — not internal staff — and must assess whether the organisation’s AML/CFT controls are adequate and operating effectively. The audit covers:

Review of AML/CFT policy and procedures documentation
Testing of CDD and EDD files against regulatory requirements
Assessment of transaction monitoring systems and processes
Review of sanctions screening records and escalation logs
Evaluation of staff training records and MLRO competency
Review of STR and SAR filing history and goAML reporting compliance

The audit must produce a written report with findings and a Remedial Action Plan (RAP) for any gaps identified. This report should be presented to senior management and retained for regulatory inspection. The frequency of audit depends on the organisation’s risk profile — high-risk businesses such as gold traders should conduct audits at least annually.

Need an independent AML/CFT audit for your DMCC entity? Adil Zone conducts all four types of independent AML/CFT audit: Federal, DFSA, VARA, and Supply Chain. ISO 27001 and ISO 9001:2015 certified. Request an audit quote.

Penalties for Non-Compliance

The UAE has moved decisively to enforce its AML framework since its removal from the FATF grey list. With the 2026 FATF mutual evaluation ongoing, regulators are conducting more inspections and imposing larger penalties. DMCC companies that fail to meet their AML obligations face the following consequences.

Administrative Fines

Violation	Minimum Fine	Maximum Fine
Failure to register on goAML	AED 50,000	AED 5,000,000
Failure to implement AML/CFT policies	AED 500,000	AED 50,000,000
Failure to report a suspicious transaction	AED 500,000	AED 5,000,000
Failure to conduct CDD	AED 100,000	AED 10,000,000
Failure to maintain records	AED 100,000	AED 10,000,000
Serious or repeated violations	AED 5,000,000	AED 100,000,000

Criminal Liability

Beyond administrative fines, individuals — including MLROs, directors, and beneficial owners — can face criminal prosecution under Federal Decree-Law No. 10 of 2025. Convictions for serious AML violations can result in imprisonment of one to ten years, deportation for non-UAE nationals, and permanent disqualification from holding a UAE trade licence. DMCC Authority may also suspend or cancel the company’s licence independently of any federal enforcement action. For a broader overview of AML obligations across the free zone landscape, see our post on AML obligations for free zone companies in the UAE.

Building a Compliant AML Programme for Your DMCC Company

A compliant AML programme does not need to be complex, but it must be documented, proportionate to risk, and actively maintained. The five-step framework below applies to any DMCC DNFBP setting up or strengthening its compliance function.

Step 1 — Risk Assessment

Start with a formal, written Business Risk Assessment. This identifies your inherent ML/TF exposure based on your customers, products, geographies, and delivery channels. The risk assessment drives every other element of the programme — your CDD levels, your monitoring approach, and your training priorities.

Step 2 — Policy and Procedures

Develop a written AML/CFT Policy approved by the board or senior management. Add supporting Standard Operating Procedures (SOPs) for customer onboarding, transaction monitoring, sanctions screening, STR filing, and record keeping. These documents must be reviewed at least annually and whenever there are significant regulatory changes.

Step 3 — MLRO Appointment

Designate a qualified MLRO and ensure that person has sufficient time and resources to fulfil the function. Register the MLRO on goAML as the reporting entity’s responsible officer. For DMCC entities without an in-house compliance professional, outsourcing the MLRO function to a qualified external provider is a recognised and compliant option under UAE law.

Step 4 — Staff Training

All staff who interact with customers or handle transactions must receive regular AML/CFT training. Training must be role-specific — a customer-facing relationship manager needs different training to a back-office operations clerk. The MLRO requires specialist training on UAE law, STR filing, and risk assessment methodology. Training records must be maintained as evidence of compliance. For DMCC gold and DPMS traders, sector-specific training on gold supply chain financial crime risks is strongly recommended.

Step 5 — Independent Audit

Commission an independent AML/CFT audit to test whether your programme works in practice. Use the findings to close gaps before a regulatory inspection identifies them. Build the audit into your annual compliance calendar. For a self-assessment you can run before an external audit, use our AML Self-Assessment Guide for DNFBPs in UAE.

Frequently Asked Questions

Are all DMCC companies required to comply with UAE AML law?

Not all DMCC companies face the same level of obligation. Entities that qualify as DNFBPs — including gold traders, diamond dealers, accountants, lawyers, and CSPs — carry full AML compliance obligations. Entities engaged in general trading or manufacturing that do not fall within DNFBP categories still have an obligation to avoid facilitating ML/TF activity, but do not face the same programme requirements as DNFBPs. If you are unsure of your classification, a gap analysis will confirm your obligations.

Does DMCC have its own AML rules separate from federal law?

DMCC Authority has its own governance requirements and conducts its own compliance checks as part of the licensing process. For AML/CFT purposes, however, DMCC companies are governed by UAE federal law — Federal Decree-Law No. 10 of 2025 and Cabinet Decision No. 134 of 2025 — and are supervised by the Ministry of Economy or the CBUAE depending on their licence category. DMCC is not a financial free zone with its own standalone AML rulebook in the way that DIFC and ADGM are.

When does a DMCC gold trader need to file a DPMS Report?

A DPMS Report must be filed via goAML within 15 working days of any cash transaction — or series of linked cash transactions — totalling AED 55,000 or more. This reporting obligation applies regardless of whether the transaction appears suspicious. It is in addition to — not instead of — the obligation to file an STR when there are grounds to suspect money laundering or terrorist financing.

Can a DMCC company outsource its MLRO function?

Yes. UAE AML regulations permit DNFBPs to outsource the MLRO function to a qualified external compliance services provider, provided the entity retains ultimate responsibility for its AML/CFT programme. The outsourced provider must be able to act as the FIU reporting point of contact and must be capable of receiving internal suspicious activity referrals promptly. This is a widely used and cost-effective arrangement for smaller DMCC entities.

How often must a DMCC DNFBP conduct an independent AML/CFT audit?

UAE law does not prescribe a fixed interval, but supervisory practice indicates that high-risk DNFBPs — such as DPMS businesses — should conduct independent audits at least annually. Lower-risk entities may be audited every two years. The audit frequency should be documented in the entity’s AML policy and risk assessment. Following any material change to the business, an ad hoc audit or gap review is advisable.

What happens if a DMCC company is found non-compliant during a MOE inspection?

The Ministry of Economy can impose administrative fines directly during or following an inspection. It can also require the entity to remediate identified gaps within a defined timeframe, issue formal warnings, and escalate serious cases to the Attorney General’s office for criminal prosecution. DMCC Authority may independently take licensing action — including suspension or cancellation — if a company’s AML failures are found to pose a risk to the free zone’s regulatory standing.

What changed under Federal Decree-Law No. 10 of 2025 for existing DMCC companies?

Federal Decree-Law No. 10 of 2025 introduced several important changes compared to the replaced Decree-Law No. 20 of 2018: enhanced requirements for Proliferation Financing (PF) risk assessment, strengthened UBO verification obligations, updated goAML reporting timelines, and additional obligations for high-risk sectors. DMCC companies with existing AML programmes should conduct a gap analysis against the new law to confirm their policies, procedures, and systems remain fully compliant.

Is KHDA-approved AML training available for DMCC compliance teams?

Yes. Compliance 360 by Adil Zone offers 32 KHDA-approved AML/CFT training courses, including sector-specific courses for DPMS businesses (gold supply chain financial crime red flags), corporate service providers, and compliance officers. All courses include a participation certificate. In-house training sessions can be arranged for DMCC entities that prefer group delivery for their teams.