AML Compliance for DPMS in UAE: The 2026 Guide - adilzone | Corporate Consulting Services

The UAE is the world’s largest re-exporter of gold, and Dubai alone handles a meaningful share of global rough and polished diamond trade. That commercial scale carries a corresponding regulatory burden. Every Dealer in Precious Metals and Stones (DPMS) operating in the UAE is now squarely inside the country’s AML/CFT regime, supervised by the Ministry of Economy and held to the same risk-based standard as banks. This guide walks through what AML compliance for DPMS in the UAE actually looks like in 2026, from goAML registration and the AED 55,000 cash threshold to the audit evidence supervisors expect to see.

Quick Answer: AML Compliance for DPMS in UAE

UAE-based Dealers in Precious Metals and Stones are designated DNFBPs under Federal Decree-Law No. (20) of 2018 and Cabinet Decision No. (10) of 2019. They must appoint a Compliance Officer, register on goAML, conduct customer due diligence, screen against UAE Local Terrorist List and UN sanctions, file Suspicious Transaction Reports (STRs) and DPMSR reports for cash deals at or above AED 55,000, retain records for at least five years, and submit to independent AML audit. Failure to comply triggers administrative fines of up to AED 5 million per violation, suspension of trade license, and criminal liability for senior management.

Key Takeaways

You are a DPMS if you trade in gold, silver, platinum, palladium, diamonds, pearls, or other precious stones above the regulated threshold, regardless of free zone or mainland status.
goAML registration is mandatory for every DPMS, and registration alone does not satisfy compliance. You must actually file STRs and DPMSR reports when triggered.
The AED 55,000 cash threshold applies to single transactions and structured (linked) transactions in cash, not to bank transfers or letters of credit.
Sanctions screening must include the UAE Local Terrorist List, UNSC consolidated list, and the Executive Office for Control and Non-Proliferation lists, screened at onboarding and on a continuous basis.
Independent AML audit is not optional for medium and high-risk DPMS firms. The audit must be conducted by a qualified, independent function.
FATF’s 2026 follow-up on the UAE places the gold and diamond trade under heightened scrutiny, particularly for trade-based money laundering typologies.
Penalties are tiered, but Article 14 of the AML Law authorises fines up to AED 5 million per violation and suspension or revocation of license for repeat or wilful failures.

1. Who Counts as a DPMS Under UAE AML Law?

The first compliance question is also the one most often answered incorrectly: am I a DPMS in the regulatory sense, or am I something else?

The Ministry of Economy Definition

Cabinet Decision No. (10) of 2019, which contains the Executive Regulations for Federal Decree-Law No. (20) of 2018, designates DPMS as a category of Designated Non-Financial Business or Profession (DNFBP). The Ministry of Economy (MOE) is the supervisory authority for DNFBPs, including DPMS, across mainland UAE and most free zones. Free zones with their own financial regulators (such as DIFC and ADGM) supervise their own licensed DPMS, but the substantive AML obligations are aligned to the federal framework.

Activities That Trigger DPMS Status

You are caught by the regime if your business engages in any of the following on a regular or commercial basis:

Buying or selling gold, silver, platinum, or palladium in any form (bullion, coins, jewellery, scrap)
Buying or selling diamonds (rough or polished), pearls, rubies, sapphires, emeralds, and other precious stones
Manufacturing or processing precious metals and stones for resale
Acting as a refiner, assayer, or supply-chain intermediary for the above
Operating an online or e-commerce platform that facilitates DPMS transactions

Common Misconceptions About Scope

Three misconceptions surface repeatedly in the UAE market:

“I only deal in jewellery, not bullion, so I am exempt.” Incorrect. Jewellery falls within the precious metals definition.
“I am in a free zone, so federal AML law does not apply.” Incorrect. Free zone DPMS are within scope under either MOE supervision or the relevant free zone regulator.
“My turnover is small, so I am below the threshold.” There is no de minimis exemption from registration. Every DPMS must register on goAML and have a compliance programme. The AED 55,000 threshold relates to the DPMSR reporting trigger, not to whether the regime applies.

2. The UAE Legal Framework Governing DPMS Compliance

A defensible compliance programme cites the right authorities by name. UAE supervisors expect senior management and the Compliance Officer to know the source of every obligation in their policy.

Federal Decree-Law No. (20) of 2018

This is the primary statute criminalising money laundering, terrorism financing, and the financing of unlawful organisations. Article 4 sets out the obligations of Financial Institutions and DNFBPs, including identifying customers, conducting CDD, maintaining records, and reporting suspicious transactions. Article 14 contains the administrative penalty matrix.

Cabinet Decision No. (10) of 2019

The Executive Regulations operationalise the AML Law. They specify the form and content of CDD, the categories of high-risk customers requiring Enhanced Due Diligence (EDD), record-keeping minimums, the role and independence of the Compliance Officer, and the requirement for an independent audit function.

Cabinet Resolution No. 74 of 2020 and TFS Guidance

Cabinet Resolution No. 74 of 2020 governs Targeted Financial Sanctions (TFS). DPMS firms must implement TFS without delay and report any positive match against the UAE Local Terrorist List or UNSC sanctions lists to the Executive Office for Control and Non-Proliferation. Detailed TFS implementation guidance is available from the UAE Executive Office for Control and Non-Proliferation.

Ministry of Economy Supervisory Authority

The MOE conducts onsite and offsite inspections of DPMS firms. The MOE’s DNFBP supervisory programme issues circulars, sectoral risk assessments, and self-assessment templates. For background on supervisory expectations, see our deep-dive on the AML Self-Assessment Guide for DNFBPs in UAE.

3. The Five Pillars of a DPMS AML Programme

FATF Recommendations 22 and 23, transposed into UAE law, define five core pillars every DPMS programme must demonstrate. We summarise each pillar below with the specific evidence MOE inspectors expect to see.

Pillar 1: Risk Assessment (RBA and EWRA)

A DPMS must conduct an Enterprise-Wide Risk Assessment (EWRA) annually, plus a transaction-level risk-based approach for each customer relationship. The EWRA must address customer risk, geographic risk, product risk, and delivery channel risk. Gold and diamond firms typically score elevated on geographic risk because of supply chains involving conflict-affected and high-risk jurisdictions.

Pillar 2: Customer Due Diligence and EDD

CDD applies to every business relationship and to occasional transactions at or above the regulatory threshold. For natural persons, you must collect Emirates ID, passport, address proof, and source of funds documentation. For legal persons, you must identify the Ultimate Beneficial Owner (UBO) at the 25 percent ownership threshold (lower if higher risk). EDD is mandatory for Politically Exposed Persons (PEPs), customers from high-risk jurisdictions, and transactions inconsistent with the customer’s profile. Our companion guide on CDD in the UAE walks through documentation standards.

Pillar 3: Sanctions and PEP Screening

Screening must run against the UAE Local Terrorist List, UNSC consolidated list, and any other lists designated by the Executive Office. Best practice extends screening to OFAC, EU, UK-HMT, and adverse media. Screening must occur at onboarding, before each transaction at or above threshold, and on a continuous basis (typically daily) to catch new designations.

Pillar 4: Transaction Monitoring

Transaction monitoring rules for DPMS should detect: structuring (multiple cash deals just below AED 55,000), unusual settlement patterns (third-party payers, exotic jurisdictions), price anomalies (gold sold significantly below market), and rapid turnover (assets bought and resold within days without commercial logic).

Pillar 5: Reporting (STR/SAR plus DPMSR)

Two distinct reporting streams apply to DPMS:

STRs and SARs are filed via goAML whenever a transaction or attempted transaction triggers suspicion of money laundering or terrorism financing, regardless of value.
DPMSR (Dealers in Precious Metals and Stones Report) is a separate goAML filing triggered by every cash transaction at or above AED 55,000, whether or not suspicious.

Automate DPMS reporting end-to-end

First Compliance is built for UAE DNFBPs. It automates CDD, screens against 1,800+ sanction lists and 5.5M+ PEP records, generates STR/SAR drafts in goAML format, and triggers DPMSR alerts the moment a cash transaction crosses the AED 55,000 threshold.

See First Compliance in action

4. DPMSR Reporting: The AED 55,000 Cash Threshold

The DPMSR regime is the single most distinctive obligation for the sector. It is a transaction-by-transaction reporting duty that runs alongside, not instead of, the STR regime.

When DPMSR Applies

A DPMSR must be filed when a single cash transaction, or a series of linked cash transactions that together cross the threshold, equals or exceeds AED 55,000. The threshold applies to:

Cash receipts from a buyer for the sale of precious metals or stones
Cash payments to a seller for the purchase of precious metals or stones
Cash advances and structured cash deposits linked to a single transaction

Wire transfers, letters of credit, and electronic payments are not subject to DPMSR, although they may still trigger an STR if circumstances warrant.

How to File via goAML

Every DPMS must register on the UAE FIU’s goAML portal using the standard registration workflow. Filing involves submitting structured XML or completing the web form with transaction details, parties, beneficial ownership, source of funds, and supporting documentation. For first-time filers, our goAML Registration Guide for 2026 walks through the registration steps in order.

Records and Retention

All CDD records, transaction records, internal risk decisions, training logs, and STR/DPMSR submissions must be retained for at least five years from the end of the customer relationship or the date of the transaction, whichever is later. Records must be retrievable in a format the supervisor can review on demand.

Reporting Type	Trigger	Filing Deadline
STR	Suspicion of ML/TF, any value	Without delay (typically within 35 days)
SAR	Suspicious activity, attempted or completed	Without delay
DPMSR	Cash transaction at or above AED 55,000	Within prescribed period after the transaction

5. Red Flags Specific to the Gold and Diamond Trade

Generic AML training rarely captures the typologies that actually surface in UAE precious metals and stones operations. The flags below are drawn from FATF guidance on the gold sector, MOE sectoral risk assessments, and on-the-ground patterns observed in DMCC and Dubai Diamond Exchange transactions.

Customer Red Flags

Buyers paying with bundles of new, sequential currency notes
Customers who refuse to disclose source of funds for high-value cash purchases
Walk-in customers attempting to purchase gold worth AED 50,000 to AED 54,999, repeated across consecutive days (structuring)
Newly registered companies with no operational history seeking large bullion purchases
Third-party payers settling on behalf of the named buyer without explanation

Transaction Red Flags

Unusual urgency to close, particularly cash-on-collection deals on the same day
Round-number invoicing inconsistent with current market spot price for the metal weight
Repeated buy-sell-buy patterns with the same counterparty within a short window
Use of high-value gift cards, prepaid cards, or virtual assets to settle precious-metal transactions
Refusal to provide invoices, certificates of authenticity, or chain-of-custody documentation

Product and Origin Red Flags

Gold dore bars or unrefined material with no verifiable origin documentation
Rough diamonds without a Kimberley Process Certificate
Bullion offered significantly below the LBMA spot price for no commercial reason
Suppliers based in jurisdictions identified by FATF as high-risk or under increased monitoring
Inconsistencies between the assayed purity and the supplier’s documentation

6. Independent AML Audit Requirements for DPMS

Cabinet Decision No. (10) of 2019 requires an independent audit function commensurate with the size and risk profile of the DPMS. For most DPMS in the UAE, this means engaging an external independent AML auditor, because in-house segregation of duties is rarely achievable.

Audit Frequency and Scope

Industry practice in the UAE has converged on annual independent AML audits for medium and high-risk DPMS firms, with biennial cycles acceptable for the lowest risk profiles only where evidenced. The audit scope must cover the EWRA methodology, CDD and EDD files, sanctions screening logs, transaction monitoring outputs, STR and DPMSR filing histories, training records, and the independence of the Compliance Officer.

What MOE Inspectors Look For

Recent MOE inspections have focused on:

Whether the EWRA was actually conducted in the past 12 months and signed off by senior management
The quality and completeness of UBO information for corporate customers
Evidence that sanctions screening occurs daily and at every transaction at or above threshold
STR filing rates relative to peer firms (zero filings is a flag, not a comfort)
Closure of findings from previous internal or external audits, with documented Remedial Action Plans

Independent AML audit for DPMS

Adil Zone conducts independent AML/CFT audits aligned with Federal Decree-Law No. 20 of 2018 and MOE supervisory expectations. Our audit team has reviewed compliance programmes for DMCC-licensed gold traders, Dubai Diamond Exchange members, and standalone DPMS firms across all seven emirates.

Request a gap analysis audit

7. Penalties for Non-Compliance

Penalty risk is not theoretical. The UAE has materially escalated AML enforcement against DPMS since the 2024-2027 National AML/CFT Strategy was published, and our roundup of UAE AML enforcement trends tracks the trajectory.

Administrative Fines

Under Article 14 of Federal Decree-Law No. (20) of 2018, administrative penalties on DNFBPs (including DPMS) range from AED 50,000 to AED 5,000,000 per violation. Multiple violations can be assessed cumulatively. Repeat offences attract aggravated fines and license consequences.

Criminal Liability

Senior management and Compliance Officers can face criminal liability for wilful failure to file an STR, tipping-off, or active participation in money laundering. Penalties include imprisonment and personal fines, with corporate penalties layered on top.

Reputational and Commercial Consequences

Beyond fines, supervised DPMS firms face license suspension, public naming on MOE bulletins, loss of bank account relationships, and contractual exit by international counterparties whose own AML policies prohibit dealing with sanctioned firms. In a sector that depends on bank financing, the reputational cost of an enforcement action often outweighs the direct fine.

8. A Practical 90-Day Compliance Roadmap for UAE DPMS

The following sequence is the one we use with newly onboarded DPMS clients who need to move from minimum registration to a defensible programme.

Phase	Days	Key Deliverables
Foundation	Days 1-30	Appoint Compliance Officer, complete goAML registration, draft EWRA, approve AML policy, contract sanctions screening tool
Operationalisation	Days 31-60	Roll out CDD/EDD templates, configure transaction monitoring rules, deliver foundational AML training, establish DPMSR filing workflow, run first reconciliation of cash transactions against threshold
Validation	Days 61-90	Conduct internal sample testing of CDD files, review STR/DPMSR filing log, deliver targeted DPMS training, schedule first independent AML audit, board briefing on residual risks

Targeted AML training for the gold and diamond trade

Compliance 360 runs a dedicated course, “Targeted AML for Dealers in Precious Metal Stones,” alongside specialist modules on the gold supply chain and trade-based money laundering. Sessions are delivered in-house with KHDA-approved certification.

Book a Compliance 360 course

Frequently Asked Questions

Do free zone DPMS firms have to register on goAML?

Yes. Every UAE-based DPMS, whether mainland or free zone, must register on goAML. Free zones with their own financial regulators may add jurisdictional requirements, but the federal goAML registration is mandatory across the board.

Is the AED 55,000 threshold per transaction or per customer per year?

The threshold applies to a single cash transaction or to linked (structured) cash transactions that together meet the threshold for the same customer. It is not a cumulative annual figure. A DPMS that conducts ten unrelated AED 30,000 cash sales to ten different customers is not subject to DPMSR for any of them, but multiple AED 30,000 transactions to the same customer in close succession would be assessed as linked.

What if my customer pays partly in cash and partly by bank transfer?

The AED 55,000 threshold applies to the cash portion. If the cash component reaches AED 55,000 or more, a DPMSR is required, even if the total transaction value is higher. The non-cash portion is documented in the transaction record but is not the trigger.

Can the same person serve as Compliance Officer and audit function?

No. Independence is a structural requirement. A DPMS may engage an external independent auditor, or, in larger firms, segregate the audit function from the Compliance Officer. Our team frequently sees this fail in family-run gold trading houses where the same individual signs off on both the EWRA and the audit, which is not defensible to MOE.

How long do I have to respond to an MOE inspection notice?

MOE inspection notices typically request documentation within 5 to 10 business days, with onsite visits scheduled shortly after. Inspectors expect the policy, EWRA, training register, CDD files, screening logs, STR/DPMSR submissions, and audit reports to be available immediately. Firms that scramble to assemble evidence after the notice is received generally score poorly on the inspection rating.

Are e-commerce platforms selling precious metals subject to DPMS rules?

Yes, if they hold inventory or settle transactions on their own account. Pure marketplace platforms that connect buyers and sellers without taking principal positions occupy a more nuanced regulatory space and should seek specific advice on their operating model.

What happens if I file a DPMSR late?

Late filing of a DPMSR is itself a violation of the regulations and can attract administrative penalties under Article 14. Self-disclosure to the supervisor before discovery typically results in lighter treatment than failures uncovered during an inspection, but the firm should be prepared to evidence why the deadline was missed and what process change prevents recurrence.

Do I need a separate STR filing if I have already filed a DPMSR for the same transaction?

Yes, if the transaction is suspicious. DPMSR is an objective threshold filing, while STR is a subjective suspicion filing. A single transaction can require both if it crosses AED 55,000 in cash and presents indicators of money laundering or terrorism financing.