Why DPMS Compliance Is No Longer Optional in the UAE
The UAE is one of the world’s most significant trading hubs for gold, diamonds, and precious stones. Dubai alone accounts for a substantial share of global gold trade, making the Dealers in Precious Metals and Stones (DPMS) sector one of the most economically vital and regulatory-sensitive industries in the country.
Yet precisely because of its scale, liquidity, and the near-universal value of its commodities, the DPMS sector has historically attracted heightened attention from financial crime authorities. Gold is compact, portable, globally accepted, and can be transacted in cash characteristics that make it inherently susceptible to money laundering, terrorist financing, and proliferation financing (ML/TF/PF).
The UAE has recognised this risk unambiguously. Regulators have moved systematically to embed Dealers in Precious Metals and Stones (DPMS) within the country’s anti-money laundering and counter-terrorist financing (AML/CFT) legal architecture, treating them as Designated Non-Financial Businesses and Professions (DNFBPs) with serious and enforceable compliance obligations.
For businesses operating in this sector, the compliance landscape in 2025 and beyond is defined by clear legal requirements, active supervisory oversight, and escalating penalties for non-compliance. This guide explains from a governance, risk, and compliance perspective exactly what the DPMS sector must understand and do.
What Are Dealers in Precious Metals and Stones (DPMS) Under UAE Law?
Defining the DPMS Sector
Under UAE law, a Dealer in Precious Metals and Stones (DPMS) is any individual or entity including their employees or representatives who regularly engages in the production or trade of precious metals or stones as part of their business activities.
This definition, articulated in the Supplemental Guidance for Dealers in Precious Metals and Stones issued by the UAE Ministry of Economy, is intentionally broad. It encompasses a wide range of business models across the precious metals and stones value chain:
- Gold dealers and traders (wholesale and retail)
- Diamond and gemstone merchants
- Jewellery manufacturers and retailers
- Gold refineries and smelters
- Bullion dealers
- Precious stone importers and exporters
- Auction houses dealing in high-value jewellery
- Pawnbrokers accepting precious metals as collateral
Precious metals covered under the framework include gold, silver, platinum, and palladium. Precious stones include diamonds, rubies, emeralds, sapphires, and pearls. Semi-precious gemstones such as amethysts, opals, and jade may also fall under the scope depending on the transaction context and supervisory guidance applicable at the time.
When Does DPMS Status Trigger AML Obligations?
Not every transaction involving precious metals creates AML obligations. The legal threshold that determines when a DPMS entity must comply with AML/CFT/CPF requirements is clearly defined.
Article 3 of Cabinet Decision No. (134) of 2025 classifies DPMS entities as DNFBPs and therefore subject to full AML obligations when they carry out single or several linked cash transactions whose value equals or exceeds AED 55,000.
This threshold applies to:
- Cash transactions with resident individuals of AED 55,000 or more
- Cash transactions with non-resident individuals of AED 55,000 or more
- Cash transactions with corporate entities of AED 55,000 or more
Transactions structured to fall just below the threshold a practice known as structuring are themselves a red flag and a potential violation of AML law.
The UAE Legal Framework Governing DPMS: Key Laws and Regulations
Federal Decree-Law No. (10) of 2025
The cornerstone of the UAE’s current AML/CFT/CPF architecture is Federal Decree-Law No. (10) of 2025 on Anti-Money Laundering, Combating the Financing of Terrorism, Proliferation Financing, and Illegal Organisations. This law replaced the earlier Federal Decree-Law No. 20 of 2018 and represents a significant update to the country’s legal framework, aligning more closely with the Financial Action Task Force (FATF) recommendations.
For the Dealers in Precious Metals and Stones sector, the 2025 law introduces several noteworthy requirements:
- It reinforces the classification of DPMS as DNFBPs, maintaining their status as regulated entities
- It introduces mandatory cash and precious metals disclosure requirements for individuals entering or departing the UAE, requiring businesses to ensure adequate disclosure when staff carry cash, precious metals, or negotiable instruments across borders
- It strengthens supervisory powers and the range of sanctions available against non-compliant entities
Cabinet Decision No. (134) of 2025
The implementing regulation of Federal Decree-Law No. (10) of 2025, Cabinet Decision No. (134) of 2025, provides the operational detail that DPMS entities must follow. Key requirements include:
- Establishing internal AML/CFT/CPF policies commensurate with the nature and size of the business
- Adopting a risk-based approach (RBA) to compliance
- Conducting customer due diligence (CDD), enhanced due diligence (EDD) for high-risk customers, and simplified due diligence where appropriate
- Filing the Dealers in Precious Metals and Stones Report (DPMSR) for qualifying transactions
Cabinet Decision No. (10) of 2019
Although preceded by the 2025 cabinet decision, Cabinet Decision No. (10) of 2019 remains a foundational reference for the UAE’s DNFBPs, including DPMS, as it established the original implementing framework for AML obligations in the sector.
Cabinet Resolution No. (74) of 2020 Sanctions Compliance
AML compliance for DPMS entities cannot be considered complete without addressing Targeted Financial Sanctions (TFS). Cabinet Resolution No. (74) of 2020 establishes the framework for implementing UN Security Council Resolutions related to terrorism, terrorist financing, and the proliferation of weapons of mass destruction. DPMS businesses must screen customers and transactions against relevant sanctions lists on an ongoing basis.
Ministerial Decree No. (68) of 2024 Responsible Gold Sourcing
Published in March 2024, Ministerial Decree No. (68) of 2024 extended the first three steps of the Ministry of Economy’s Due Diligence Regulations for Responsible Sourcing of Gold to a broader range of entities across the gold supply chain not just refineries. Businesses involved in recycling, trading, or otherwise handling gold must now demonstrate adherence to responsible sourcing standards.
The Ministry of Economy and Tourism: Supervisory Authority for DPMS
The Ministry of Economy and Tourism (MoET) is the designated AML supervisory authority for the DPMS sector operating in the UAE Mainland and commercial free zones.
Under Article 17 of Federal Decree-Law No. (10) of 2025, the MoET has broad enforcement powers, including the authority to impose administrative penalties ranging from AED 10,000 to AED 5,000,000 for non-compliance. Beyond financial penalties, the MoET may also:
- Suspend or revoke a business licence
- Restrict specific business activities
- Issue public warnings
The MoET’s enforcement posture has sharpened considerably in recent years. In August 2024, UAE authorities temporarily suspended 32 gold refinery licences approximately 5% of Dubai’s refineries following inspections that uncovered 256 separate AML/CFT violations. These included inadequate customer due diligence, failure to file Suspicious Transaction Reports, and gaps in sanctions screening. This enforcement action sent an unambiguous signal: non-compliance in the DPMS sector carries real and significant consequences.
Core AML/CFT Obligations for DPMS Entities in the UAE
1. goAML Registration and the DPMSR
All DPMS entities classified as DNFBPs are legally required to register on the UAE Financial Intelligence Unit’s (FIU) goAML portal. This platform, developed by the United Nations Office on Drugs and Crime (UNODC), serves as the UAE’s central system for receiving, analysing, and disseminating financial intelligence.
The registration process follows two stages:
- Pre-registration via the Security Access Control Management (SACM) system
- Full registration on the goAML portal, following approval by the Ministry of Economy
Once registered, DPMS entities are required to file the Dealers in Precious Metals and Stones Report (DPMSR) when they carry out qualifying cash transactions of AED 55,000 or more. DPMSR filings must be made within two weeks of the qualifying transaction occurring.
Failure to register on the goAML portal constitutes a violation of AML law and may attract fines of AED 50,000 to AED 1,000,000 per violation, or up to AED 5,000,000 in severe cases.
For detailed guidance on STR and goAML reporting, regulated DPMS entities should ensure their reporting processes are designed to meet both the technical and substantive requirements of the FIU’s reporting framework.
2. Appointment of a Money Laundering Reporting Officer (MLRO)
Every DPMS entity must designate a qualified Money Laundering Reporting Officer (MLRO) also referred to as a Compliance Officer who is responsible for overseeing the implementation of the AML/CFT programme. The MLRO serves as the primary point of contact for regulatory communications and is personally accountable for the quality and timeliness of reporting.
The MLRO must have the appropriate seniority, independence, and competence to discharge these responsibilities effectively. This includes access to all business information necessary to make informed reporting decisions.
3. ML/TF/PF Risk Assessment
Before compliance controls can be designed, DPMS entities must first understand their risk exposure. A Business-Wide Risk Assessment (BWRA) must be conducted to identify, assess, and document the ML/TF/PF risks inherent in the business considering factors such as customer types, geographic exposure, product and service profile, and transaction channels.
The UAE’s 2024 National Risk Assessment (NRA), referenced in Circular No. (4) of 2025, provides the national-level risk landscape that DPMS businesses must take into account when calibrating their own risk profiles.
For DPMS entities seeking a structured approach to risk identification, a thorough ML/TF/PF risk assessment forms the foundation of any effective compliance programme.
4. AML Policies and Procedures
DPMS entities must establish, implement, and maintain comprehensive AML/CFT/CPF policies and procedures that are:
- Commensurate with the nature, size, and risk profile of the business
- Reviewed and updated regularly to reflect changes in regulatory requirements or business operations
- Documented in writing and accessible to all relevant staff
The policy framework must cover customer due diligence, enhanced due diligence, record-keeping, transaction monitoring, suspicious transaction reporting, sanctions screening, and staff training. Robust AML policies and procedures are not simply a compliance box-tick they are the operational backbone of a defensible AML programme.
5. Customer Due Diligence (KYC/CDD)
Customer Due Diligence (CDD) also referred to as Know Your Customer (KYC) is one of the most operationally intensive obligations for DPMS entities. Under the framework, before or during a qualifying transaction, a DPMS business must verify:
- Identity of the customer (and, for legal entities, beneficial owners holding 25% or more)
- Nature and purpose of the business relationship
- Source of funds involved in the transaction
The Implementation Guide for DNFBPs on Customer Due Diligence published by the UAE supervisory authorities in November 2024 provides detailed practical guidance for DPMS businesses on how to conduct CDD effectively.
For customers assessed as higher risk such as Politically Exposed Persons (PEPs), customers from high-risk jurisdictions, or those with complex ownership structures Enhanced Due Diligence (EDD) must be applied before proceeding with the transaction.
A well-structured KYC and CDD framework is essential for DPMS businesses that want to manage customer risk assessment systematically rather than reactively.
6. Suspicious Transaction Reporting (STR)
When a DPMS entity has reasonable grounds to suspect that a transaction or attempted transaction involves the proceeds of crime, or is connected to terrorist or proliferation financing, it is legally obligated to file a Suspicious Transaction Report (STR) via the goAML portal.
There is no minimum value threshold for STR reporting the duty is triggered by suspicion, not the size of the transaction. Importantly, DPMS entities must not tip off the customer that a report has been made or is being considered. Tipping off is a separate criminal offence under UAE law.
STR obligations are complemented by the DPMSR for threshold-based reporting of large cash transactions.
7. Ongoing Transaction Monitoring
AML compliance for DPMS entities is not a one-time exercise at onboarding. Businesses must maintain ongoing monitoring of both customer relationships and transactions, ensuring that customer information remains current and that transaction patterns are reviewed for anomalies or red flags.
Circular No. (8) of 2021 from the Ministry of Economy outlined specific KYC information requirements for DPMS entities when undertaking qualifying cash transactions, reinforcing the need for systematic monitoring.
8. Sanctions Screening
DPMS entities must screen customers and transactions against:
- UAE local terrorist designation lists
- UN Security Council sanctions lists
- FATF high-risk and monitored jurisdiction lists
Screening must occur at onboarding and on an ongoing, real-time basis. Circular No. (3) of 2025 requires that screening processes be updated whenever the relevant lists change. For businesses requiring a structured approach to this obligation, sanctions screening and name screening must be embedded as continuous operational processes.
Engaging GRC Services for DPMS Compliance
Given the breadth and technical complexity of AML/CFT/CPF obligations in the DPMS sector, many businesses find that navigating compliance alone is operationally difficult and carries unnecessary risk. Engaging specialist GRC services allows DPMS businesses to build their compliance framework correctly from the outset rather than attempting to remediate gaps after a regulatory inspection has already identified them.
A well-scoped GRC engagement for a DPMS entity would typically cover: business-wide risk assessment, AML policy drafting, MLRO support and training, goAML registration, CDD framework design, transaction monitoring protocols, and inspection readiness reviews.
AML Training Requirements for DPMS Staff
Staff training is not a discretionary compliance element it is a regulatory requirement. DPMS entities must ensure that all relevant employees receive appropriate AML training that covers:
- The nature of money laundering, terrorist financing, and proliferation financing
- The business’s specific ML/TF/PF risk profile
- How to identify and respond to suspicious activity
- The procedures for filing STRs and DPMSRs
- Obligations under sanctions law
Training must be provided at onboarding for new staff and on an ongoing basis to reflect regulatory developments. Records of training delivered must be maintained for inspection purposes. Structured AML training programmes should be tailored to the specific risk environment of the precious metals and stones sector.
Red Flags and Financial Crime Typologies in the DPMS Sector
The UAE Financial Intelligence Unit’s Strategic Analysis Report on Misuse of Precious Metals and Stones in Financial Crime (September 2025) provides important intelligence on how the precious metals sector is exploited for financial crime. Understanding these typologies helps DPMS entities calibrate their monitoring and detection capabilities.
Common red flags in the DPMS sector include:
Transaction Red Flags:
- Large cash payments at or just below the AED 55,000 threshold (structuring)
- Multiple transactions on the same day by the same customer appearing designed to avoid reporting
- Customers paying for high-value purchases with multiple, small-denomination banknotes
- Third-party cash payments with no clear relationship to the customer
Customer Red Flags:
- Customers reluctant to provide identification or explain the purpose of a transaction
- Customers from high-risk jurisdictions listed by FATF
- Politically Exposed Persons (PEPs) or their family members and close associates purchasing high-value items without clear explanation
- Anonymous buyers or transactions structured through corporate vehicles with opaque beneficial ownership
Business and Trade Red Flags:
- Unusual trading patterns inconsistent with the declared business profile
- Purchase prices significantly above or below market value
- Rapid recycling of gold purchasing, melting, and reselling within very short timeframes
- Transactions involving jurisdictions or counterparties subject to sanctions
Governance and Internal Controls for DPMS: The GRC Perspective
From a governance, risk, and compliance standpoint, effective DPMS compliance is not simply about meeting minimum regulatory requirements. It is about building an institutional culture and operational architecture that is resilient, verifiable, and capable of withstanding regulatory scrutiny.
Governance Structure
DPMS businesses particularly larger ones should establish clear governance oversight for compliance, including:
- Senior management accountability for the AML/CFT programme
- Board or executive-level review of compliance reports at regular intervals
- Documented delegation of authority and escalation pathways
Risk-Based Approach
The UAE’s regulatory framework mandates that DPMS entities adopt a risk-based approach (RBA) to compliance. This means that the intensity of due diligence, monitoring, and controls applied to any given customer or transaction should be proportionate to the assessed risk. A wholesale bullion trader dealing with verified institutional counterparties will have a different risk profile than a retail jeweller handling walk-in cash customers.
Record-Keeping
DPMS entities must retain all customer identification records, transaction records, and CDD documentation for a minimum of five years from the date of the transaction or the end of the business relationship, whichever is later. Records must be stored in a manner that allows them to be retrieved promptly in response to a regulatory request.
Internal Audit and Compliance Review
An effective compliance programme requires periodic independent review. AML internal audit processes should be used to test whether the AML/CFT programme is functioning as designed identifying gaps, weaknesses, and areas for remediation before regulators identify them first. This is also closely linked to regulatory inspection readiness, which ensures that when the MoET or FIU conducts an inspection, the business is prepared to respond calmly and competently.
PEP and High-Risk Customer Management in DPMS
Politically Exposed Persons (PEPs) and high-risk customers require particular attention in the DPMS sector. Given the high values typically involved in precious metals and stones transactions, even a single high-risk customer relationship that is inadequately managed can create significant regulatory exposure.
DPMS entities must have a clearly documented process for:
- Identifying whether a customer is a PEP or related to a PEP
- Obtaining senior management approval before establishing or continuing a relationship with a PEP
- Conducting enhanced due diligence on the source of wealth and source of funds
- Applying ongoing enhanced monitoring to the relationship
Robust PEP and high-risk customer management processes must be embedded in the CDD framework not treated as an exceptional or ad hoc activity.
Responsible Sourcing of Gold: The Supply Chain Dimension
Beyond transactional AML compliance, DPMS entities particularly those involved in the gold supply chain must address the sourcing dimension of their compliance obligations.
Ministerial Decree No. (68) of 2024 extends due diligence requirements for responsible sourcing of gold beyond refineries to other entities in the supply chain. This means that gold dealers, traders, and recyclers must now be able to demonstrate that the gold they handle has not originated from conflict zones or been produced under conditions associated with human rights abuses or environmental harm.
The responsible sourcing framework aligns with international standards including the OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas.
Conclusion: Building a Defensible DPMS Compliance Programme
The regulatory landscape for Dealers in Precious Metals and Stones in the UAE is comprehensive, actively enforced, and continuing to evolve. Federal Decree-Law No. (10) of 2025, Cabinet Decision No. (134) of 2025, the DPMSR reporting obligation, and the MoET’s escalating enforcement posture all confirm that compliance in this sector is not a background consideration it is a licence-to-operate requirement.
For DPMS businesses, the path forward is not simply to check compliance boxes. It is to build a programme that is genuinely integrated into the business where risk is identified systematically, due diligence is applied proportionately, suspicious activity is reported promptly, and governance structures support accountability at every level.
GRC Advisors works with DPMS businesses, DNFBPs, and regulated entities across the UAE to design, implement, and continuously improve compliance frameworks that are built to withstand regulatory scrutiny. Whether the need is for a comprehensive AML programme, a targeted risk assessment, regulatory inspection readiness, or ongoing advisory support, GRC Advisors brings the regulatory expertise and practical experience to help DPMS businesses operate with confidence and compliance.
FAQs: GRC for Dealers in Precious Metals and Stones DPMS in UAE
Who qualifies as a Dealer in Precious Metals and Stones (DPMS) in the UAE?
Under UAE law, a DPMS is any individual or legal entity that regularly engages in the production or trade of precious metals (such as gold, silver, platinum) or precious stones (such as diamonds, rubies, sapphires, and emeralds) as part of their business. This includes jewellers, gold traders, diamond merchants, bullion dealers, refineries, and auction houses handling high-value items.
What is the AED 55,000 threshold for DPMS in the UAE?
Article 3 of Cabinet Decision No. (134) of 2025 stipulates that DPMS entities become subject to full AML/CFT/CPF obligations including DPMSR filing when they conduct single or linked cash transactions amounting to AED 55,000 or more. This applies to transactions with individuals (resident and non-resident) and corporate entities alike.
What is the DPMSR and when must it be filed?
The Dealers in Precious Metals and Stones Report (DPMSR) is a mandatory report that DPMS entities must file through the UAE FIU’s goAML portal when they conduct qualifying cash or wire transactions of AED 55,000 or more. The report must be submitted within two weeks of the qualifying transaction.
What are the penalties for non-compliance with AML obligations in the UAE for DPMS businesses?
Under Article 17 of Federal Decree-Law No. (10) of 2025, the Ministry of Economy and Tourism can impose administrative fines ranging from AED 10,000 to AED 5,000,000 per violation. Additional sanctions include suspension or revocation of a business licence and restriction of business activities. The UAE has demonstrated its willingness to enforce these penalties including the temporary suspension of 32 gold refinery licences in 2024.
Does a DPMS business need to register on the goAML portal?
Yes. All DPMS entities classified as DNFBPs are legally required to register on the UAE FIU’s goAML portal and to report qualifying transactions and suspicious activities through this platform. Registration is mandatory even if no suspicious transactions have occurred. Failure to register is treated as an AML compliance failure and carries significant fines.
What is the role of the Ministry of Economy and Tourism in DPMS AML compliance?
The Ministry of Economy and Tourism (MoET) is the designated AML supervisory authority for the DPMS sector in the UAE Mainland and commercial free zones. It is responsible for supervising DPMS compliance, conducting inspections, issuing guidance and circulars, and imposing administrative penalties for non-compliance with AML/CFT/CPF obligations.
