1. The obligation is the registration, not the report
Most DMCC precious-metals firms think of goAML as the place you go when something happens — a suspicious customer, a transaction that doesn't add up. That's backwards, and it's the single most expensive misunderstanding in this corner of UAE compliance.
Registration on goAML is itself the obligation. A DPMS firm with an appointed Money Laundering Reporting Officer is required to be registered whether or not it has ever had a single reportable transaction. Failure to register is a standalone violation — the supervisor can fine you for it before you have ever done anything else wrong, and "we had nothing to report" is not a defence. Registration without reporting is fine; reporting without registration is impossible; not registering is a finding.
This guide walks the whole path: what goAML is, the two registrations you actually need, how to get registered, what you file once you are, and the handful of mistakes that catch firms out.
2. What goAML is
goAML is the reporting platform of the UAE Financial Intelligence Unit (FIU), which sits at the Central Bank. The software itself was built by the UN Office on Drugs and Crime and is used by financial intelligence units worldwide; the UAE runs its own instance. It is the single channel through which every Designated Non-Financial Business and Profession (DNFBP) — and a DMCC precious-metals dealer is a DNFBP — submits its regulatory reports to the FIU.
The FIU is not your supervisor. Your federal supervisor is the Ministry of Economy and Tourism (MoET), which inspects you and imposes fines. The FIU receives your reports and feeds intelligence to law enforcement. But the two are linked at the point that matters to you: failing to register or report on goAML is one of the violations MoET fines you for, and the reporting duty itself is set in Article 18 of Federal Decree-Law 10 of 2025.
3. The two registrations — and the one firms miss
Here is the trap. There is not one registration. There are two, and firms routinely complete the first and never realise the second exists.
Registration one — goAML. The FIU's reporting portal, where you file STRs, SARs and the DPMS-specific DPMSR (Section 5 below). This is the one everyone knows about.
Registration two — the Automatic Reporting System for sanctions. A separate registration, via the Ministry of Economy's targeted financial sanctions system, through which you receive notifications when the UAE Local Terrorist List or the UN Security Council consolidated list is updated. Sanctions screening only works if you actually learn when the lists change — and this registration is how the change reaches you. A firm registered on goAML but not on the sanctions reporting system has a live hole in its screening obligation, and it is exactly the kind of gap an inspection surfaces.
Do both. They are separate accounts, separate steps, and an inspector checks for both.
4. How to register on goAML
The mechanics below are accurate as of May 2026. Treat them as the shape of the process rather than a pixel-by-pixel script: the FIU and MoET refresh the portal screens and the document checklist from time to time, so always cross-check against the official MoET "Register in goAML" page before you start, and follow what it says where it differs from anything here.
The flow has two stages:
Stage one — SACM pre-registration. You first create access through the Security Access Control Management (SACM) layer. This is the identity/authentication gate that sits in front of goAML. As part of it you set up Google Authenticator on a phone — SACM uses a rotating one-time password (a new code every minute) rather than a static password, so the Authenticator app becomes your key to the portal. Keep it on a device the MLRO controls.
Stage two — Organisation registration on goAML. You register the firm as an Organisation, with the MLRO (your appointed compliance officer) as the registered user who acts for it. You will need, at minimum:
- the firm's trade/commercial licence (your DMCC licence);
- the MLRO's identity documents — passport, Emirates ID, and residency visa;
- a signed authorisation letter confirming the MLRO is empowered to act for the firm on AML matters.
Have these ready as clean scans before you start; the most common cause of delay is a missing or mismatched document. When the submission is complete and accepted, the FIU approves the account — typically within about 5–10 working days — and issues your Organisation ID, the reference that identifies your firm on every report you subsequently file.
Two practical notes. First, the MLRO's account is personal to the named officer: if that person leaves, the registration has to be updated, or you lose the ability to file. Second, register early — the day the licence is issued, not the day a transaction forces your hand. The approval window means goAML is not something you can stand up in an afternoon when an inspector asks.
5. What you actually file
Once registered, three report types matter to a DPMS firm. The first two are suspicion-driven; the third is the one unique to your sector, and it is not about suspicion at all.
STR — Suspicious Transaction Report. Filed when a transaction gives you reasonable grounds to suspect money laundering, terrorist financing, or a related predicate crime. Suspicion is the trigger, not value.
SAR — Suspicious Activity Report. The companion to the STR for suspicious activity or attempted dealings that may not be a completed transaction — an enquiry, a pattern, a customer who walks away when asked for ID. Same suspicion trigger, broader scope.
DPMSR — Dealer in Precious Metals and Stones Report. This is the report unique to your licence, and it is a threshold report, not a suspicion report — you file it because a transaction crossed a value line, whether or not anything about it looked wrong. A DPMSR is required for any of the following at or above AED 55,000:
- a cash transaction with an individual — resident or non-resident;
- a cash transaction with a corporate customer;
- an international wire transfer with a corporate customer.
Two details that catch firms out. Instalments and linked transactions count: a single dealing split into several cash payments — across days or visits — that accumulate to AED 55,000 or more triggers a DPMSR; a customer cannot stay under the line by paying in pieces, and treating each payment as separate is a reporting failure. And the clock is short — a DPMSR must be filed on goAML within two weeks of the qualifying transaction. AED 55,000 is also the same threshold at which your source-of-funds verification duty engages, so in practice the DPMSR and your source-of-funds evidence are produced from the same moment.
(goAML carries other report types — additional-information files and the like — but STR, SAR and DPMSR are the three a DPMS firm operates against day to day.)
6. What it costs to get this wrong
goAML failures sit inside the same penalty machinery as the rest of the framework. A supervisor can impose administrative fines from AED 10,000 to AED 5,000,000 per violation under Article 17 of FDL 10/2025, with the operating schedule for DNFBPs set by Cabinet Resolution 71 of 2024 (AED 50,000–1,000,000 per violation, doublable on repeat), plus non-monetary measures up to suspension of activity and licence revocation.
The point worth internalising: goAML violations are among the easiest for an inspector to evidence, because they are binary. You are either registered or you are not. The DPMSR for a qualifying transaction was either filed within the window or it was not. There is no judgement call to argue over, no "we interpreted it differently" — which is precisely why these failures convert so cleanly into fines.
7. The operator's checklist
If you run a DMCC DPMS firm, these are the goAML questions to be able to answer "yes" to without checking:
- Is the firm registered on goAML, with the MLRO as the registered user and a live Organisation ID?
- Is the firm also registered on the sanctions Automatic Reporting System, so you receive list updates?
- Is the Google Authenticator on a device the MLRO controls, and is the registered officer still the person actually in the role?
- Does everyone on the counter know that a cash transaction at AED 55,000+ triggers a DPMSR within two weeks — and that instalments add up?
- Do you have a written procedure for raising, escalating and filing on goAML, so it doesn't live only in the MLRO's head?
If any of those is a "let me check," that is the gap to close this week — and goAML gaps are quick to close compared with what they cost unaddressed.
8. Where this sits in the kit
A goAML account is plumbing; the discipline around it is the actual compliance. The Assay DMCC DPMS Compliance Starter Kit ships the STR & goAML Filing Procedure as one of its 28 documents — the written, step-by-step escalation-and-filing procedure an inspector expects to see, alongside the transaction-monitoring procedure that flags the AED 55,000 threshold and the linked-transaction rule. Registration you do once; the procedure is what proves you operate it.
Not sure where your firm stands on goAML and the rest of the framework? The free 5-minute Self-Assessment scores you against the full set of obligations and tells you, plainly, what's missing.
Last updated 31 May 2026. Drafted against the UAE AML framework in force May 2026 — FDL 10/2025, Cabinet Resolution 134/2025, Cabinet Resolution 71/2024 — and against current UAE FIU and MoET guidance on goAML registration and reporting. The goAML and SACM registration screens and document requirements are set by the FIU/MoET and change from time to time; verify the current process on the official MoET goAML page before registering. Not legal advice — for your firm's specific situation, consult a UAE-qualified compliance professional.