The DMCC DPMS Operator's Guide to UAE AML/CFT/CPF Compliance.

1. The 60-day reality

A DMCC DPMS licence comes with federal AML/CFT obligations from the day it's issued. Not from your first transaction. Not from your first cash deposit. From the date on the licence.

In the first half of 2025 alone, the Ministry of Economy and Tourism recorded 1,063 AML violations across UAE designated non-financial businesses, with fines exceeding AED 42 million. Dealers in Precious Metals & Stones accounted for 473 of those violations and AED 20 million of those fines — close to half of all DNFBP enforcement by fine value, and the largest single segment by fine value (real-estate brokers took marginally more violations at 495, but a lower fine total at AED 18.5 million) (MoET H1 2025 inspection results). DPMS is the most-fined DNFBP segment in the UAE by sector.

Most DPMS founders find out about their AML obligations when one of three things happens: their bank requests the firm's AML framework during account opening; their auditor asks during the first annual audit; or DMCC sends an inspection notice. By the time any of those moments arrives, the firm has weeks — not months — to retrofit a compliance framework that the law expected from the day of licensing.

This guide sets out what's actually required, by whom, by when, with the source instrument cited for each obligation. The intent is operational: if you're a DPMS owner, GM or MLRO, you should be able to read it, understand exactly what your firm needs in place, and either confirm you're covered or list the gaps.

2. The framework — what laws apply to you

UAE AML/CFT/CPF regulation for DPMS firms is built from a small number of named instruments. Knowing which is which is the difference between an operator who can answer a regulator question and one who can't.

The primary law is Federal Decree-Law No. 10 of 2025 on Combating Money Laundering, the Financing of Terrorism and the Financing of Proliferation. It came into force on 14 October 2025 and replaced the previous law, Federal Decree-Law No. 20 of 2018. Its executive regulations are Cabinet Resolution No. 134 of 2025, in force from 14 December 2025; the executive regulations comprise 71 articles and roughly 300 enforceable requirements, and convert the law's principles into operational duties.

Beneath those two instruments sit several others that operate at the level a DPMS firm actually deals with day-to-day:

• Cabinet Resolution No. 71 of 2024 — the unified DNFBP violations and administrative fines schedule. Lists 41 violation categories and sets fines from AED 50,000 to AED 1,000,000 per violation, doublable on repeat (Article 5(2)).
• Cabinet Decision No. 109 of 2023 — the beneficial ownership regime. In force 6 November 2023; replaced Cabinet Decision No. 58 of 2020 but carries forward the same 25% direct/indirect ownership-or-control threshold and the senior-managing-official fallback.
• Cabinet Decision No. 74 of 2020 — sanctions implementation and the UAE Local Terrorist List; gives effect to UN Security Council resolutions in UAE law.
• Ministerial Decree No. 68 of 2024 — Due Diligence Regulations for the Responsible Sourcing of Gold. Sector-specific to gold; applies the OECD due-diligence framework in UAE law.
• Ministry of Economy DPMS Supplemental Guidance (May 2019) — sector-specific operational guidance, distributed to member firms by both MoET and DMCC.
• DMCC Guidance Note for Member Companies — AML/CFT — DMCC's member-firm AML/CFT guidance, supplementing the federal framework with operational expectations specific to DMCC members.
• DMCC Rules for Risk-Based Due Diligence in the Gold and Precious Metals Supply Chain — supply-chain-specific rules for DMCC members.

Internationally, the framework is grounded in the FATF Recommendations — principally Recommendations 1 (risk-based approach), 10 (customer due diligence), 11 (record-keeping) and 22(c), the last of which extends financial-sector CDD requirements to DPMS engaged in any cash transaction at or above USD/EUR 15,000. The UAE applies a tighter threshold; we'll return to that below.

The operator who knows the source for each obligation can answer any regulator question. Knowing the source list is the first competence.

3. Who supervises you

There are three layers of authority over a DMCC-licensed DPMS firm.

The first is federal AML supervision, exercised by the Ministry of Economy and Tourism (MoET, formerly the Ministry of Economy) — the federal supervisor for four DNFBP categories, including DPMS. MoET conducts inspections, issues findings, and imposes the administrative fines under Cabinet Resolution 71/2024. The recent inspection results above are MoET's.

The second is DMCC, your free-zone licensing authority. DMCC is not your federal AML supervisor, but as the entity that issued your licence it adds member-firm obligations on top of the federal floor — its AML/CFT Guidance Note and its Risk-Based Due Diligence Rules sit above the federal framework, and DMCC enforces compliance with them as a condition of licence.

The third is the UAE Financial Intelligence Unit (FIU) at the Central Bank, which operates the goAML reporting portal. The FIU doesn't supervise you for compliance, but it receives every Suspicious Transaction Report (STR), Suspicious Activity Report (SAR) and Dealer in Precious Metals and Stones Report (DPMSR) you file. Failure to file when required is one of the violations MoET fines you for.

Three layers, three remits. Knowing which one to call on a given question is the day-two competence.

4. The ten things you actually need

The substance. Each item is a real obligation a regulator can fine you for; each cites the source instrument for verification.

• (a) A written AML/CFT/CPF Policy & Procedures Manual, approved by senior management. The firm's master document. It defines your risk appetite, sets the rules every other procedure operates within, and is the first document a bank, auditor or inspector will ask for. It must be approved by senior management and reviewed at least annually. The internal compliance-programme requirement that the Manual implements sits in Article 21 of Cabinet Resolution 134/2025.
• (b) An appointed Money Laundering Reporting Officer (MLRO) with the seniority to actually stop a transaction. The MLRO is the named individual who receives internal escalations, files STRs to goAML, and reports to senior management on the firm's AML posture. The role can't be the licence-holder by default in many setups — it needs independence of judgment. The MLRO owes senior management a periodic written report on the firm's AML compliance; the typical frequency is semi-annual, carried over from the prior regime. The MLRO-appointment requirement sits in Article 21 of Cabinet Resolution 134/2025 — the same article that covers internal compliance programmes and staff training.
• (c) Active registration on the goAML portal. Operated by the UAE FIU at the Central Bank. Every DPMS firm with an MLRO needs an account, regardless of whether the firm has had any reportable activity. Registration without reporting is acceptable; reporting without registration isn't possible. Failure to register is itself a fineable violation under CR 71/2024.
• (d) KYC and Enhanced Due Diligence (EDD) procedures. Risk-based: standard customer due diligence for ordinary customers, EDD when risk indicators trigger (politically-exposed persons, high-risk jurisdictions, complex ownership structures, unusual transaction patterns). The procedures must be written and operated — not improvised on the day. The risk-based-approach and customer-due-diligence requirements sit in Articles 5–9 of Cabinet Resolution 134/2025.
• (e) A documented business-wide risk assessment, reviewed at least annually. Not a customer risk assessment — a firm risk assessment that scores the business across customer, geographic, product/service and delivery-channel risk factors, with the methodology documented and the score reproducible. This is the document MoET inspectors ask for first, because its absence is also the easiest violation to evidence: it either exists or it doesn't. The requirement is in Cabinet Resolution 134/2025; the firm-level assessment must also integrate the findings of the 2024 UAE National Risk Assessment.
• (f) Staff training, with attendance records. Every staff member who could encounter a high-risk customer or unusual transaction needs to know the firm's red flags, the escalation path, and the tipping-off prohibition under Article 29 of FDL 10/2025. Training must be delivered, dated and signed. An untrained staff member who fails to flag a transaction is a finding against the firm. The training duty sits in Article 21 of Cabinet Resolution 134/2025, tied to the same internal-compliance-programme block as the MLRO appointment.
• (g) Source-of-funds verification for any cash transaction at or above AED 55,000. Single transactions and "linked transactions" both count toward the threshold — a customer cannot split a single payment across consecutive days to stay below it. The threshold is set in Article 3(3) of Cabinet Resolution 134 of 2025 and is unchanged from the prior regime. At the UAE's USD-pegged exchange rate AED 55,000 ≈ USD 15,000 — sitting at the USD-side floor of the FATF Recommendation 22(c) standard (more on this in §9). Verification means asking for, receiving and documenting evidence of where the funds come from — a payslip, a sale contract, a bank statement, an inheritance document, depending on the customer profile.
• (h) Sanctions and PEP screening at onboarding, and ongoing. Every customer screened at onboarding against the UAE Local Terrorist List, the UN Security Council consolidated list, and the firm's chosen sanctions data provider, then re-screened whenever a list updates. The Local Terrorist List regime sits in Cabinet Decision No. 74 of 2020.
• (i) Five-step OECD due diligence on gold supply chains. Gold refiners do all five steps of the OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas; non-refining DPMS firms (traders, jewellers, retailers) do the first three. The UAE implements this through Ministerial Decree No. 68 of 2024 (Due Diligence Regulations for Responsible Sourcing of Gold).
• (j) Record-keeping for at least five years. Every customer file, every transaction record, every screening log, every MLRO report, every training attendance record — five years from the end of the customer relationship or the date of the transaction, whichever is later. The retention requirement and the five-year minimum sit in Article 25(2) of Cabinet Resolution 134/2025, counted from the latest trigger event.

That's the ten-item list a competent DPMS firm operates against. Eight of the ten are document-bound; two — (g) source-of-funds verification and (h) sanctions screening — are transaction-time disciplines that the staff have to live. Both kinds get inspected.

5. What it costs if you don't have it

Penalties under UAE AML law operate at two layers.

The statutory envelope sits in Article 17 of Federal Decree-Law 10/2025: administrative fines from AED 10,000 to AED 5,000,000 per violation, plus non-monetary measures up to and including warnings, restrictions on activity, suspension of senior managers, and revocation of the licence. That's the upper ceiling of what a supervisor can impose.

Inside that envelope, the operating schedule for DNFBPs supervised by MoET and the Ministry of Justice is Cabinet Resolution No. 71 of 2024, the unified DNFBP violations and administrative fines list. CR 71/2024 lists 41 violation categories with fines from AED 50,000 to AED 1,000,000 per violation. Indicative bands: AED 50,000–200,000 for customer-due-diligence failures; AED 100,000–500,000 for enhanced-due-diligence failures; AED 50,000–1,000,000 for failure to act on national risk assessment findings. On a repeat violation, the fine can be doubled (Article 5(2)), and the supervisor can layer on additional administrative measures under FDL 10/2025 Article 17.

Direction of travel: in H1 2025 alone, MoET issued AED 20 million in fines across 473 violations on DPMS firms — the single largest DNFBP sector by both count and value. In May 2026, the Minister of Economy and Tourism personally conducted an inspection tour of the Dubai Gold Souq. In February 2026, MoET tightened guidance for real estate, precious metals and crypto DNFBPs. Enforcement is intensifying, not slowing. The fine schedule, the inspection focus and the political attention all point in the same direction.

The arithmetic on cost-of-compliance versus cost-of-non-compliance is one-sided. An AED 50,000 fine for a single CDD failure is the floor; a single AED 500,000 fine for an EDD failure costs more than building the framework from scratch.

6. When founders find out — and the cost of finding out late

Three discovery moments, in the order most DPMS founders meet their AML framework:

The bank. UAE banks treat DPMS firms as high-risk customers — they have to, under their own AML obligations. Account opening, or even renewal, triggers a request for the firm's AML/CFT policy, MLRO appointment letter, risk assessment, and source-of-funds procedure. A firm that hands over nothing — or, worse, generic Word templates pulled off the internet — gets account opening declined or an existing account closed. The reputational cost ripples; banks talk to each other, and closing an account is recorded.

The auditor. The firm's first annual audit asks the same questions in a different register: show me the policy, the procedures, the MLRO sign-offs, the screening logs, the training records. A clean audit needs the framework to have been operating for the period under audit — retrofitting documents at audit time produces qualified opinions and uncomfortable conversations with the auditor's risk committee.

The inspector. A MoET inspection notice gives the firm a window — typically days, not weeks — to produce the documents listed in the notice. The inspector arrives with the published violations checklist from CR 71/2024 and walks through it line by line. Missing documents, missing sign-offs and missing screening logs each become a documented violation with its own fine reference.

The pattern: most firms find out about the framework when they have least time to build it. The framework the law expected on day one of the licence is the framework the bank, the auditor and the inspector all expect on the day they ask. Compressing months of work into days produces the wrong kind of attention.

7. What good looks like — the operating rhythm

Compliance isn't a build, it's an operating practice. A DPMS firm that has the framework but doesn't operate it is in worse shape than a firm that doesn't have the framework at all — the inspector sees the policies on the shelf and the absence of evidence they were used, and that becomes a documented gap rather than an absence.

The rhythm:

Monthly — sanctions list refresh (every list provider issues updates monthly or more often); transaction monitoring review (the MLRO or a delegate walks the period's high-value or high-risk transactions and signs off on them).

Semi-annually — the MLRO files a written compliance report to senior management covering AML activity for the period: STRs filed, screening hits resolved, training delivered, exceptions raised. The semi-annual cadence carries over from the prior regime; Cabinet Resolution 134/2025 codifies the reporting obligation under the same internal-compliance-programme block (Article 21) without specifying frequency.

Annually — the business-wide risk assessment is reviewed and updated; the AML/CFT/CPF Policy & Procedures Manual is reviewed; all-hands AML training is refreshed for every staff member; an independent AML audit is commissioned (typically by an external firm) and its findings are addressed.

Ongoing — every transaction — KYC at onboarding; source-of-funds verification at AED 55,000+ cash; sanctions screening at onboarding; suspicious-transaction reporting on goAML when triggered; record-keeping at every step.

A firm operating this rhythm produces, almost as a by-product, the documentary evidence an inspector wants to see. A firm not operating it produces nothing — the same gap that drove roughly half of MoET's H1 2025 enforcement.

8. The trap most firms fall into

Treating policies as paper, not as operating documents.

The trap is documented in MoET's published violation patterns: the most-cited failures are not "no policy at all" — they are "policy on the shelf, no evidence of use." A firm with a 47-page AML/CFT Policy & Procedures Manual but no dated senior-management sign-off, no training attendance log, no MLRO semi-annual report, no screening log: that firm is in a worse position than a firm with no policy, because its written policy proves the firm knew the obligation and didn't operate it.

The implication for daily operations is small and unglamorous. Sign-offs dated. Logs filled in. Training delivered and attendance recorded. The MLRO report written every six months and filed with senior management. Boring discipline; outsized inspection value.

The phrase to internalise is one our inspection-readiness checklist carries: a policy in use beats a policy on a shelf. Operate the framework — the documentary trail builds itself.

9. The international context

The UAE framework is grounded in the FATF Recommendations — principally Recommendations 1 (the risk-based approach), 10 (customer due diligence), 11 (record-keeping) and 22 (DNFBPs). Recommendation 22(c) is the one that explicitly catches DPMS, at the USD/EUR 15,000 cash threshold; the UAE applies AED 55,000, which at the UAE's USD-pegged exchange rate is effectively the USD-side floor of that standard.

UAE was placed on the FATF Grey List ("jurisdictions under increased monitoring") on 4 March 2022 and removed on 23 February 2024 — roughly twenty-four months of intensified domestic supervision and regulatory tightening that produced the framework currently in force. The country now sits in MENAFATF Enhanced Follow-Up, with periodic progress reporting against the action items.

The practical meaning for a DPMS firm: the framework is settled, but enforcement is more intense after de-listing rather than less. The UAE has a credibility position to defend internationally, and DPMS is one of the most visible DNFBP sectors. The operator who's ready stays ready — and the operator who isn't gets enforcement that the regulator has every political reason to publicise.

10. Closing

The framework is operable. Knowing the source for each obligation, building the ten documents, and running the operating rhythm gets a firm from licence-issuance to inspection-ready in days, not months. The compressed-timeline trap most firms fall into is avoidable.

That is why we built the Assay DMCC DPMS Compliance Starter Kit. Twenty-eight documents — the Policy & Procedures Manual, the MLRO appointment letter and job description, every KYC form, the working risk-assessment matrix in Excel, the training deck, the inspection-readiness checklist, the goAML filing procedure — drafted against this exact framework, ready to adopt in 48 hours.

Want to see where your firm stands today? The free 5-minute Self-Assessment scores your firm against the ten obligations above and tells you, in plain English, what's missing.

Your DMCC DPMS licence came with 60 days of AML homework. We did it for you.

Last updated 30 May 2026. Drafted against the UAE AML framework in force May 2026 — FDL 10/2025 + CR 134/2025 + CR 71/2024 + CD 109/2023 + CD 74/2020 + MD 68/2024, with the DMCC AML/CFT Guidance Note, the MoE DPMS Supplemental Guidance and the OECD Due Diligence Guidance for Responsible Supply Chains. Where the framework moves, this article is reviewed and dated forward. Not legal advice — for bespoke counsel on your firm's specific situation, consult a UAE-qualified compliance professional.