Skip to main content
  • 2. Understanding Risks

    There is no uniform global approach to regulation of the Payment Sector and participants may be classified as different types of entities in different regulatory regimes. Some types of participants may be regulated as financial institutions in some jurisdictions but not in others. Operating within a global financial center, LFIs in the UAE may be exposed not just to participants licensed by the CBUAE, but also to those operating globally. This exposure can be direct (i.e., providing financial services directly to a participant), or indirect (e.g., when a customer initiates a withdrawal from his checking account using a foreign smartphone-based app that he has linked to that account).

    The Payment Sector is becoming increasingly diverse, and payment processes more complex. The Payment Sector is no longer solely dominated by traditional financial institutions like banks and exchange houses, which also offer new and innovative methods using the internet or mobile phone technology. A variety of new types of Payment Sector participants, such as companies that offer internet-or smartphone-based payment applications and providers of prepaid cards and devices, are involved in a growing percentage of all payment transactions. These entities allow almost anyone to accept and originate payments using a wide variety of techniques and payment routes. Whenever a customer makes a purchase or pays a bill online, these new participants are likely to be involved. These entities may also be used outside commercial contexts, such as by crowdfunding platforms or charitable organizations.

    Furthermore, as innovative technologies emerge and commerce and economic activity increasingly grows online, merchants and consumers are relying on a diverse array of New Payment Products and Services (NPPS). The FATF defines NPPS as “new and innovative payment products and services that offer an alternative to traditional financial services.” Examples of NPPS include prepaid cards, mobile payments, and internet-based payment services; these are neither exhaustive, nor exclusive as a provider of mobile money, for instance, may utilize prepaid cards or provide internet-based payment services. In contrast, payment methods such as credit cards and cheques, and bulk funds transfer systems such as national payment systems, would generally not qualify as NPPS. Because NPPS are so diverse, they do not share a single risk profile and pose money laundering and financing of terrorism (ML/FT) risks for financial institutions when they do not understand the operation or the vulnerabilities in the NPSS operational models. The provision of these NPPS is frequently implemented or facilitated by a group or network of different companies, some of them invisible to the consumer or even all the participants in the network, given the presence of multiple participants in the chain with whom not all participants will have a contractual relationship.

    The vast majority of payment transactions carried out each year across the globe are legitimate. But the Payment Sector—and NPPS in particular—has characteristics that make it both attractive and vulnerable to illicit actors. As LFIs are increasingly exposed to new participants in this sector, they must remain alert to and understand the risks this exposure creates.

    Section 2.1 below discusses the ML/FT risks of the Payment Sector with a focus on risks related to NPPS. It applies to financial institutions that are directly involved in the provision of such products and services, which includes both traditional LFIs and those that are solely engaged in providing payments. Section 2.2 discusses risks specific to LFIs that provide services to other Payment Sector participants.

    • 2.1. ML/FT Risks of the Payment Sector

      • 2.1.1. Characteristics of the Movement of Funds

        PPS, and NPPS in particular, are extremely attractive to illicit actors because of the rapid movement of funds between Payment Sector participants and across borders. The risks of a specific payment network or application however can vary based on the features that make it more or less attractive to illicit actors, such as:
         
         Transaction speed. Are transactions instantaneous, or do they take hours or days? The quicker the transaction, the easier it is for illicit actors to conduct multiple transfers, further obscuring the origin of the funds, before coming to the attention of the authorities.
         
         Transaction limits. Does the PPS have transaction caps or limits? Smaller-value payments are not without risk, especially in the terrorist financing context, but they do make it more difficult to move illicit funds on a large scale.
         
         Closed vs open loop system. PPS, primarily SVF, can be “closed” or “open” loop. In a closed loop system, the payment method can only be used for payments to a specific payee. Examples include transit passes and store gift cards. In an open loop system, the payment method can be used to pay a wide variety of payees, and can be linked to other payment methods that further expand its reach. Although it is certainly possible to use closed loop systems for ML/FT (for instance, if a terrorist group collects store gift cards and uses them to purchase equipment), the restrictions on their use makes them less attractive to illicit actors.
         
         Methods of funding and access to cash.3 The methods by which a PPS can be funded (such as by cash, through another payment service, a prepaid model, or by third-party funding from anonymous sources) may increase risk. The inputs and outputs of a given PPS are therefore an important consideration when assessing risk, including whether the funding source is located internationally such as a high-risk country. For example, illicit actors may seek to place cash in the financial system or to obscure transaction trails by converting funds in and out of cash. PPS that permit users to fund their accounts with cash, or that allow users to withdraw cash, may be higher risk. In addition, as discussed above in the context of open loop systems, the more open and porous the PPS, the higher the risk it may present. PPS that allow users to fund accounts from multiple sources, and to withdraw funds using multiple methods, are likely to be more attractive to illicit actors, and will be harder to effectively monitor.
         
         Payment transparency. NPPS often have aggregated payments and settlement accounts involving multiple parties and long payment chains thereby potentially causing LFIs to have reduced visibility into payment activity taking place through the PPS as well as obscuring an LFI’s ability to identify the ultimate payer and payee for all transactions.
         
         Ability for one person to create multiple accounts. Some PPS allow customers to create multiple accounts using the same ID. These may be individual accounts or created on behalf of minors or other family members. Illicit actors may seek to rapidly cycle funds through accounts (whether or not these take the form of virtual ‘wallets’ or other SVF) in order to obscure payment trails. They may also seek to open multiple accounts to facilitate fraud and other criminal activity. Restricting a customer to one account does not eliminate risk, since illicit actors often work in groups, but it makes it more difficult for a single person to launder funds by conducting a self-transfer.
         
         Non-face-to-face relationships. Does the payment method allow for a non-face-to-face business relationship? What are the payment method’s characteristics? Can the relationship be established through agents, online or through a mobile payment system? The absence of contact and/or anonymity may increase the risk of identity fraud or customers providing inaccurate information.
         
         Use of virtual assets.4 As interest in virtual assets grows, more and more payment methods and schemes are integrating with virtual assets. For example, a global payments firm allow users in some countries to purchase virtual assets using the funds in their account, although not to use them directly for payments. Payment methods and schemes that integrate virtual assets could expose financial institutions to the specific risks of this sector.
         

        3 For details on the vulnerabilities of cash and alternatives to cash, please consult the CBUAE’s Guidance for Licensed Financial Institutions providing services to Cash-Intensive Businesses

        4 Please note that the risks relating to Virtual Assets/Virtual Assets Service Providers are out of the scope of this guidance and addressed in a separate guidance to be issued by the CBUAE.

      • 2.1.2. Peer-to-Peer Payments

        NPPS have revolutionized the ability to make payments or transfer funds. Where cash transactions previously required face-to-face interaction and bank transfers involved transactions’ fees and an execution time in the past, NPPS allow participants to send money that will be instantly available to the beneficiary, reducing the need for trust in the relationship. As a result, the availability of convenient, inexpensive PPS has led to a decreasing use of cash, particularly in highly developed countries. Bringing transactions into the formal financial system has many advantages from the perspective of combating illicit finance. These transactions can flow through third parties that are in many cases subject to AML/CFT requirements. In most cases, the payments that involve such third parties include information on the payer and the payee and are permanently recorded by a financial institution, making it easier for law enforcement to track transactions. But the use of PPS for peer-to-peer payments also creates risk for financial institutions because it means that many smaller illicit transactions that once took place in cash are now being conducted via PPS, particularly NPPS.

      • 2.1.3. Cross-Border Movement

        One of the principal features of many NPPS is that they can be used globally for making payments or transferring funds. While the usefulness of cash and cheques is limited outside the jurisdiction where they were issued, many PPS are internet-based services and specialize in conducting transfers between countries and currencies. For example, a UAE bank that offers checking accounts to UAE residents may have no ATMs or branches outside the UAE. But, if users link their accounts to global or regional payment apps, they can conduct transactions with persons over the world and can use their smartphone as a payment instrument in countries where the bank has no presence, thus introducing new geographical exposure potentially to high-risk countries. And unlike cross-border wires, which carry full identifying information, the bank will frequently only see the customer’s transactions with the payment network itself, rather than their location or ultimate destination. Many illicit finance schemes involve the cross-border movement of funds. Criminals may seek to finance terrorism in other countries, move funds out of sanctioned jurisdictions, or evade the attention of law enforcement in the jurisdiction where a proceeds-generating offense was committed. PPS that allow or facilitate cross-border movement of funds may therefore be particularly attractive to illicit actors.

      • 2.1.4. Global Regulatory Gaps

        Countries take a variety of approaches to regulating the Payment Sector and there is no one widely accepted classification of participants. As a result, two regulators in two different jurisdictions may subject a single company to very different requirements based on each jurisdiction’s regulatory framework. The company may be regulated as a financial institution in one jurisdiction, and thus subject to AML/CFT requirements, but treated as a tech company in another with no requirement to apply preventive measures. Companies may provide services to customers in a given country without being regulated in that country at all. Even where Payment Sector participants are fully regulated and subject to stringent AML/CFT requirements, supervisors’ expectations for this sector may be lower than for traditional financial institutions such as banks. And participants, as relatively new market entrants, may lack the experience, expertise, or commitment to apply fully effective preventive measures. These entities may be less able to protect themselves and their partners, and thus vulnerable to abuse by illicit actors.

      • 2.1.5. Intermediation

        The Payment Sector may be complex with a number of participants potentially involved in a single transaction. As a result, many payment transactions will be highly intermediated, with multiple financial institutions involved in a funds transfer. Additional entities (some of which may not be financial institutions) can potentially facilitate the transaction through the exchange of information. Intermediated transactions create risk because no regulated entity participating in the transaction has the visibility necessary to fully understand the transaction and the participants. Illicit transactions may have red flags when viewed as a whole, but may appear legitimate when seen from the perspective of each of the financial institutions involved. This creates a vulnerability that illicit actors can exploit.
         
        For example, consider the hypothetical transaction below, a purchase on an online marketplace that allows individual sellers to sell items directly to customers:
         
        picture

         

        In this transaction, the customer is using a credit card to purchase goods from the merchant, but the merchant is not a participant in the credit card scheme. A number of Payment Sector participants help to bridge this gap and facilitate the transaction:
         
         The marketplace uses a payment gateway that accepts the customer’s credit card credentials, encrypts them, and validates them against data held by the credit card scheme operator. The marketplace may also integrate with providers that provide ‘one-click’ payment information to the payment gateway without requiring the customer to enter his or her credit card details. In the UAE, these providers would be classified as conducting payment account information services, but in many other jurisdictions they are not regulated as financial institutions.
         
         The credit card scheme operator validates the customer information provided by the payment gateway, conducts initial fraud checks, and informs the payment gateway that the credit account is in good standing and the credit limit has not been exceeded.
         
         The payment gateway informs the marketplace’s payment processor that a transaction of an identified value can proceed using the customer’s credit card details.
         
         The marketplace payment processor informs the merchant that the transaction has been confirmed and instructs the credit card scheme operator to debit the customer’s account for the purchase price, in favor of the marketplace.
         
         The credit card scheme operator passes this payment instruction on to the bank that issued the customer’s credit card (the issuing bank). Meanwhile, the merchant ships the customer the merchandise purchased.
         
         The issuing bank transfers funds in the purchase value to the marketplace’s bank (this transfer may in fact go through the marketplace payment processor’s account at the same bank).
         
         The marketplace bank transfers the purchase funds to the merchant’s fintech (likely a provider of SVF), which in turn transfers the funds to the merchant’s account. The marketplace’s payment processor likely facilitates this transaction by instructing the bank where to send the funds.
         
        It is unlikely that any of the Payment Sector participants in this transaction have full visibility into the funds transfer chain. The banks are unlikely to have information on anyone other than their immediate customers or correspondents. The payment gateway likely does not identify the merchant. The fintech likely does not identify the customer. The marketplace payment processor is likely aware that the customer and merchant are engaging in a transaction, but may not know where the customer’s funds are coming from or where the merchant’s funds are going. And because the marketplace payment processor does not hold funds at any point in the transaction, it may not be regulated as a financial institution in all jurisdictions. In this instance, a marketplace payment processor may apply certain conditions on what types of customers and merchants it engages. For more information on how LFIs can mitigate and manage ML/FT risks related to this sector, including the risks arising from the use of NPPS, please see section 3 “Mitigating Risks.”
      • 2.1.6. Nesting

        Nesting is a form of intermediation that presents specific risks. In most Correspondent Banking Relationships that involve nesting, the respondent financial institution is not aware of individual transactions ordered by the ultimate customer; instead, the respondent sees bulk activity in the correspondent’s account that represents aggregate customer orders and perhaps also proprietary transactions by the correspondent. As a result, the transaction is intermediated because the respondent cannot see—nor assess the risk of— the original customer.

        picture

        Although nesting can occur in the context of any financial service, some features of the Payment Sector— the long payment chains and the involvement of multiple parties—can increase the likelihood that nesting will take place. In particular, some Payment Sector participants specialize in providing financial services to dubious merchants or customers who would be rejected by larger financial institutions. A participant servicing these customers, frequently offering merchant acquiring or payment aggregation services, will establish a nested relationship with a third participant that in turn has a Correspondent Banking Relationship with a bank. Although all the parties involved must and may claim to perform appropriate merchant due diligence, in practice, the risk may be that the bank is relying on its correspondent, which is in turn relying on the nested financial institution, with the first two parties not having full visibility into the nested financial institution’s customer base or due diligence practices.

      • 2.1.7. Use of Agents and Affiliates

        Payment Sector participants often interact in a dense web of agency and affiliate relationships, with each participant playing a defined role. A large number of entities involved in the NPPS, in particular when involving several countries, may increase the ML/FT risk.
         
        For example, entities involved in the provision of SVF through a prepaid card scheme could include:5
         
         The issuer of the SVF, such as the issuer of prepaid cards, who is accountable to the customer for holding the funds they have loaded into the SVF (issuers are often banks that maintain program funds in a single program account);
         The merchant acquirer (or acquirers), who establishes a direct relationship with merchants, distributes and maintains the payment gateway, collect funds on their behalf, and distributes them to merchants;
         The program manager, who operates the network and provides services to the issuer (because all program funds are generally maintained in a single account, program managers often maintain the electronic records that track the “movement” of funds into and out of customer’s individual wallets);
         The retailer, who sells SVF devices like prepaid cards to customers;
         The network operator, who maintains the link between merchants’ point of sale devices, or other payment gateways, and the program manager; and
         Persons, who act as agents for the scheme, such as by accepting cash in exchange for topping up wallet balance.
         
        Another example includes the provision of mobile payment services. The roles of Payment Sector participants depend largely on the business model of the mobile payment service. Furthermore, various roles may be carried out by a single entity or through agents. Entities involved in the provision of mobile payments may include the following:
         
         The network operator, who provides the platform to allow access to the funds through a mobile phone.
         The distributor (including retailer), who sells or arranges for the issuance of funds on behalf of the issuer to customers.
         The issuer of the SVF, or the electronic money issuer, who issues electronic money, which is defined here as a record of funds or value available to a customer stored on a payment device, such as a prepaid card or mobile phone.
         
        This interplay between different entities can lead to risks resulting from intermediation as discussed above. But it can also give rise to risks when the participating entities have not assigned clear responsibility for compliance with AML/CFT requirements. The PPS risk’s exposure may then be dependent on multiple actors who may have a deficient understanding of AML/CFT obligations. For example, in the prepaid card scheme described above agents could facilitate money laundering by accepting large volumes of cash and breaking the value of the deposit up across several wallets, thus avoiding scrutiny related to large cash deposits. The entities acting as merchant acquirers could be aware that the merchants are providing illegal goods or services or are fraudulent, but conceal this knowledge in order to continue to receive fees related to transactions involving the merchants in its network.
         
        The risks created by the use of agents and affiliates increase when agents and affiliates are responsible for sensitive steps in the system (customer or merchant onboarding, or cash acceptance) and when there are multiple agents or affiliates between the customer and the ultimate provider of payment services. For example in card schemes, merchant acquirers will frequently work with contractors who identify merchants and bring them to the acquirer in return for a fee. Depending on the relationships involved, the financial institution that maintains the merchant accounts may not have any actual direct contact with and have a limited visibility of the merchant, as the relationship is intermediated through the merchant acquirer and also the merchant acquirer’s contractor. Since contractors do not get paid unless the financial institution accepts the merchant as a customer, they may be incentivized to help the merchant conceal the true nature of its business.

        5 Please note that one entity can hold various roles related to the provision of SVF (e.g., an issuer of the SVF can also be a program manager). The risk is extended where different agents are involved in the provisioning of a prepaid card.

      • 2.1.8. Merchant Risks

        All merchants accept payments in one form or another, and most merchants today are at least considering integrating NPPS into their financial arrangements. On the other end of the spectrum, NPPS lower the barriers for merchants to access financial services, making it easier to start and operate a small business, particularly in the e-commerce sector. These lower barriers to entry however can also create risks when merchants are not properly vetted. Globally, Payment Sector participants including providers of NPPS have been abused by or directly complicit with merchants who offer fraudulent or illegal goods or services, or whose business models pose reputational risks to financial institutions. These can for example include traffickers in narcotics who disguise their transactions as financial activity related to a supposedly legitimate small business. They can also include businesses that are legal in some jurisdictions but not others (such as gambling websites) and seek to accept payments from customers resident in jurisdictions where the business is illegal. Finally, they may include sites that are legal in many jurisdictions but that pose reputational risk, and that are therefore outside a financial institution’s risk appetite, or online marketplaces that do not thoroughly police their merchants and thus could themselves be abused by illicit actors.

        Any factors—particularly intermediation, nesting, and the use of agents and affiliates—that prevent a financial institution from understanding exactly what merchants or what types of merchants it is serving when it provides a PPS, increase the risks. Risks may be higher in cross-border networks, as businesses may be legal in some jurisdictions and illegal in others, while customers can use the PPS to purchase services that would be illegal in their jurisdiction. Relying on third parties to conduct customer due diligence (CDD) on merchants can also increase risk if the relationship is not well-governed.

    • 2.2. ML/FT Risks for LFIs Providing Services to Payment Sector Participants

      Many traditional LFIs, including banks, are full participants in the Payment Sector. Banks serve for example as issuers and acquirers in credit, debit, and prepaid card schemes, and are actively involved in developing new payment methods to better serve their customers. When banks play such roles, they are directly exposed to the determinants of risk discussed in section 2.1 above, and should thus conduct appropriate CDD on all Payment Sector participants. Banks and any other LFIs that offer services to other Payment Sector participants, or have customers who use these services, are exposed to specific forms of risk that include:

      • 2.2.1. Correspondent and Correspondent-Type Risk

        Because large-scale national clearing and settlement systems are often opened only to banks and other depository institutions, the majority of retail payments will ultimately pass through a bank generally as part of batch settlement. In order to facilitate this activity, non-bank financial institutions involved in payments, as well as unregulated Payment Sector participants, generally maintain deposit accounts with banks. These accounts can be used to safeguard customer funds (for example funds that have been deposited with a prepaid scheme) or to aggregate customer funds before disbursing them directly to customer’s account (for example when a merchant acquirer aggregates multiple payments to a merchant partner before disbursing them in a single transfer). Correspondent Banking Relationships in which the correspondent’s customers’ funds flow through an account held at the respondent financial institution are particularly high risk, because they expose the respondent institution directly to any potentially illicit activity in which the correspondent’s customers are engaged. Because banks that offer services to correspondents have limited information on these transactions, they are reliant on the correspondent to implement an effective AML/CFT program. Please see section 3.4.2 for the respective preventive measures.

      • 2.2.2. Other Risks Related to Intermediation

        Even banks that view themselves as having limited to no exposure to NPPS may in fact have indirect exposure through customers who link their bank accounts to payment apps, or use their bank accounts to fund SVF accounts or wallets (or withdraw funds received in such wallets to their accounts), or withdraw funds as cash and use it to purchase other prepaid instruments. Account activity of this type poses unique challenges for account and customer surveillance, because frequently the bank will be aware only of the immediate source or destination for the transaction, rather than the entire transaction chain. This can allow customers to deliberately thwart transaction monitoring programs and prevent the bank from understanding and assessing the activity on the customer’s account to determine whether it is in fact in line with the customer profile. Examples of how intermediation can limit a bank’s ability to identify suspicious or unusual behavior include:
         
         Many banks have automated transaction rules designed to identify possible unlicensed money transfer activity by alerting on accounts that receive multiple small deposits from different sources, followed by a single large cross-border transaction. A customer could thwart this surveillance by having associates deposit the funds to be transferred in an SVF wallet, and then moving those funds to a linked bank account in order to execute the cross-border transfer. From the bank’s perspective, it would appear that the customer received only one deposit. Relatedly, the provider of SVF could not know that the funds were ultimately transferred across borders.
         Many banks use watchlists to identify transactions that may be illegal or in violation of bank policy, such as the use of gambling websites. A customer seeking to evade these restrictions could use a foreign payment app linked to their account to purchase the assets; this transfer would likely appear on the bank’s records as a debit in favor of the operator of the payment app. The operator, in turn, may not be responsible for enforcing the laws of the jurisdictions where its foreign customers are based. It is therefore important for banks to identify foreign payment apps in order to appropriately assess the risks of the transactional activity.
         A customer that generates a high quantity of illicit proceeds in cash can evade surveillance the bank applies to cash deposits by depositing the cash with a provider of NPPS (including both SVF and any other payment app that accepts cash inputs) and then withdrawing the funds from the payment service to his/her linked bank account.
         
      • 2.2.3. Risks Related to Outsourcing

        Banks often serve as the backbones of PPS such as credit, debit, and prepaid schemes without serving as the administrator or governing body of the scheme. In these situations, banks provide their reputation, stability, ability to hold deposits, and access to national payment systems while program administrators actually manage the movement of funds throughout the scheme. Because program operators have more direct contact with customers and more insights into the movement of funds, banks involved in these schemes often outsource CDD and other elements of the AML/CFT program to the program operators. But as banks continue to be exposed to funds involved in the program, they remain responsible for implementing an effective and compliant AML/CFT program, even if transactions flow through third parties that may or may not be subject to AML/CFT requirements. LFIs should therefore adopt policies to mitigate risks arising from reliance on outside service providers, including ones that operate in high-risk countries. Where roles and responsibilities are not clearly assigned, or where the program administrator does not implement an effective program, illicit actors can exploit the cracks in the program, and the bank and the program operator together will likely be less effective than if either party were operating alone. In such cases, LFIs should maintain a contingency arrangement as necessary.