DFSA AML Rulebook (DIFC)

What is the DFSA AML Rulebook?

The DFSA AML Rulebook — formally the Anti-Money Laundering, Counter-Terrorist Financing and Sanctions Module (AML Module) — is the dedicated rulebook issued by the Dubai Financial Services Authority (DFSA) for firms operating in the Dubai International Financial Centre (DIFC). It sets out the binding anti-money-laundering, counter-terrorist-financing, and sanctions obligations that every Authorised Person, DNFBP, and other Relevant Person in the DIFC must satisfy.

The rulebook implements the UAE's federal AML/CFT framework — anchored in Federal Decree-Law No. (20) of 2018 — within the DIFC free-zone jurisdiction, and aligns DIFC firms with FATF 40 Recommendations, UN sanctions regimes, and the UAE Cabinet's targeted financial sanctions framework. For the broader country-level picture, see our overview of AML/CFT guidelines in the UAE.

Who must comply with the DFSA AML Rulebook

The AML Module applies to all Relevant Persons licensed, registered, or recognised by the DFSA. This covers banks, asset managers, investment firms, brokers, custodians, insurers and reinsurers, payment service providers, fund managers, and crypto-token service providers operating under the DFSA's regime. It also reaches the DIFC's DNFBPs — independent legal professionals, accountants, dealers in precious metals and stones, real-estate brokers, and trust and corporate service providers — together with Registered Auditors of Authorised Persons. Compliance accountability sits with senior management, but day-to-day oversight is exercised by a designated Money Laundering Reporting Officer (MLRO) based in the UAE.

New entrants can review our walkthrough of AML registration in the UAE for the end-to-end onboarding process.

MLRO requirements under the DFSA AML Rulebook

Every Relevant Person must appoint a Money Laundering Reporting Officer (MLRO) who is resident in the UAE and of sufficient seniority to act independently from commercial functions. The MLRO must have direct access to senior management and the governing body, and the authority to file Suspicious Transaction Reports (STRs) without management approval. A Deputy MLRO must also be appointed to ensure continuity. The MLRO is responsible for producing an annual MLRO report to senior management — covering the firm's AML/CFT framework, key risks, STR activity, training, and recommendations for improvement — and the firm must submit a separate Annual AML Return to the DFSA covering similar topics.

CDD, EDD and beneficial ownership

Standard CDD under the AML Module requires identifying and verifying the customer using reliable, independent source documents or data. For legal persons, this extends to identifying any beneficial owner — typically the natural person owning or controlling 25% or more of the entity, or otherwise exercising control — and verifying their identity on a risk-based basis. EDD applies whenever risk is elevated: PEPs, customers from FATF high-risk or jurisdictions under increased monitoring, non-face-to-face onboarding without strong identity assurance, complex ownership structures, or unusually large or unexplained transactions. EDD measures include senior-management approval to begin or continue the relationship, source-of-funds and source-of-wealth checks, and intensified ongoing monitoring — for a category-by-category playbook, see our guide on how to conduct EDD in the UAE. Many DIFC firms automate these checks at scale through a unified AML screening platform that combines sanctions, PEP, and adverse-media coverage with continuous monitoring.

Sanctions screening and targeted financial sanctions

The rulebook obliges Relevant Persons to comply with UN Security Council sanctions and the UAE Local Terrorist List maintained by the UAE Cabinet. Firms must screen all customers, beneficial owners, and counterparties at onboarding, periodically thereafter, and immediately when sanctions lists are updated. Any positive match must be frozen without delay and reported to the UAE Executive Office for Control and Non-Proliferation. Sanctions failings — missed screenings, unjustified false-positive dispositions, late freezes — are among the most heavily penalised areas in DFSA enforcement. For a deeper primer on screening logic, list coverage, and false-positive handling, see our sanctions screening AML guide.

Suspicious transaction reporting (STR) via goAML

When a Relevant Person knows, suspects, or has reasonable grounds to suspect money laundering, terrorist financing, or a predicate offence, the MLRO must file an STR with the UAE Financial Intelligence Unit through the goAML platform as soon as practicable. Firms are also subject to strict tipping-off prohibitions — they must not disclose the existence or content of an STR to the customer or any unauthorised third party, even when the customer queries a frozen transaction or terminated relationship.

Annual AML Return

A distinctive feature of the DFSA regime is the Annual AML Return, a structured submission that every Authorised Person and DNFBP must file with the DFSA each year. The return captures the firm's AML/CFT framework, customer base by risk band, training and screening activity, STR volumes, and material AML incidents. The DFSA uses the Annual Return as a primary supervisory data source — feeding both off-site monitoring and on-site inspection planning — so the quality of the data submitted directly influences the level of regulatory scrutiny the firm receives.

DFSA AML Rulebook vs FSRA AML Rulebook (ADGM)

The UAE has two free-zone AML regimes that are structurally similar but operationally distinct. Both implement UAE Federal Decree-Law No. (20) of 2018 and align with FATF standards; the differences sit in supervisory style, fee structures, certain procedural details, and the scope of activities each authority licenses. The table below summarises where the two regimes overlap and where they diverge.

Aspect	DFSA (DIFC)	FSRA (ADGM)
Free zone	Dubai International Financial Centre	Abu Dhabi Global Market
Supervisor	Dubai Financial Services Authority	Financial Services Regulatory Authority
Federal law alignment	UAE Federal Decree-Law No. (20) of 2018	UAE Federal Decree-Law No. (20) of 2018
MLRO requirement	UAE-resident MLRO and Deputy	UAE-resident MLRO and Deputy
STR platform	UAE FIU via goAML	UAE FIU via goAML
Recordkeeping minimum	At least 6 years	At least 6 years
Annual AML Return	Required (DFSA-specific structured filing)	Not required as a structured return
Sample license scope	Banking, asset management, insurance, payments, crypto-token services, DNFBPs	Banking, asset management, brokers, payments, DNFBPs

For the parallel ADGM regime, see our entry on the FSRA AML Rulebook (ADGM). Firms operating across both free zones — or across free zones and onshore UAE — must reconcile all applicable layers.

Recordkeeping and documentation

DFSA Relevant Persons must maintain comprehensive AML/CFT records — CDD and EDD documentation, transaction records and monitoring outputs, STR filings and supporting analysis, risk assessments and methodology, MLRO and Annual AML Return documents, sanctions screening logs, and training records — for at least six years from the end of the customer relationship or completion of the transaction. Records must be retrievable and provided to the DFSA promptly on request.