Payment Service Providers: Overcoming AML Obstacles

Who Are Payment Service Providers (PSPs)?

Within the UAE’s regulatory landscape, Payment Service Providers are entities authorized to offer payment-related services without necessarily holding a full banking license. PSPs may include:

• Digital Wallet Operators (e-wallets, prepaid card issuers)
• Money Remitters (domestic/international remittance businesses)
• Payment Gateways and Processors (online merchant acquirers, point-of-sale providers)
• E-money Institutions

PSPs fall under the Central Bank of the UAE’s (CBUAE) supervision (per the Stored Values and Electronic Payment Systems Regulations). They must also comply with Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism (AML/CFT Law) and Cabinet Decision No. 10 of 2019.

Obstacles Payment Service Providers Face?

1. Rapid Regulatory Change

• Frequent Updates: The UAE’s AML/CFT framework (Federal Decree-Law No. 20/2018, Cabinet Decision No. 10/2019, CBUAE circulars) is constantly evolving.
• Implementation Lag: Translating new rules into updated policies, training, and systems can create temporary compliance gaps.

2. High Volume of False Positives

• Over-Sensitive Screening Rules: Automated sanctions and transaction-monitoring systems often generate large numbers of low-risk alerts.
• Investigation Backlog: Manually reviewing false positives diverts time and resources from genuine high-risk cases.

3. Data Quality and Fragmentation

• Inconsistent Customer Data: Missing or outdated KYC documentation (addresses, ultimate beneficial owner data) hampers accurate risk scoring.
• Siloed Systems: Disparate databases (onboarding, transaction monitoring, adverse-media feeds) can prevent a consolidated view of customer risk.

4. Non-Face-to-Face (NFTF) Verification Challenges

• Digital Identity Fraud: Verifying corporate and individual identities remotely introduces greater uncertainty.
• Third-Party Reliance: Outsourced KYC vendors or technology providers may not apply the same standards, creating compliance gaps.

5. Resource Constraints

• Budget Limitations: Smaller firms and fintech startups often lack the headcount or budget to run 24/7 monitoring or maintain a large AML team.
• Skill Gaps: Finding and retaining staff with both deep UAE regulatory expertise and technical proficiency (data analytics, AI tools) can be difficult.

6. Complex Ownership Structures

• Shell Companies & Trusts: Criminals use layered corporate vehicles to obscure beneficial ownership.
• Cross-Border Entities: Verifying international supplier or partner structures requires access to offshore registries and local-language due diligence.

7. Rapid Transaction Velocity

• High-Frequency Transfers: Instant payments and e-wallet transactions occur too quickly for traditional manual review.
• Anonymized Channels: Some payment rails allow near-anonymous transfers, complicating source-of-fund verification.

8. Evolving Money Laundering Techniques

• New Typologies: Crypto-asset mixing, prepaid cards, and gift-card laundering require constant updating of detection rules.
• Coordination Across Units: Ensuring Risk, Compliance, IT, and Business teams share intelligence on emerging threats can be challenging.

How to Overcome these Obstacles: Why a Risk-Based Approach (RBA) Is Paramount

Addressing these obstacles requires a combination of strong leadership support, investment in technology and training, and a culture of compliance that empowers AML Associates to continuously refine risk models, streamline workflows, and engage all departments as proactive partners in the fight against financial crime.

A risk-based approach means identifying, assessing, and mitigating ML/TF risks proportionately—focusing resources on higher-risk customers, products, and geographies. For PSPs, whose digital, non-face-to-face business model inherently increases exposure, an effective RBA allows the firm to:

• Allocate Compliance Resources Efficiently: Direct enhanced due diligence where it matters most (e.g., large cross-border remittances).
• Maintain Customer Experience: Avoid blanket “one-size-fits-all” controls that unduly slow down low-risk transactions.
• Demonstrate Regulatory Compliance: Show the CBUAE and UAE Financial Intelligence Unit (UAE FIU) that AML controls are tailored and dynamic.

Key Components of a Robust RBA for PSPs

1. Customer Due Diligence (CDD) & Enhanced Due Diligence (EDD):
   • KYC Onboarding: Verify legal entities and individuals with government-issued IDs, corporate documents, and biometric or video‐based checks for NFTF customers.
   • PEP & Sanctions Screening: Real-time checks against UN, OFAC, EU, and CBUAE sanctions lists, plus Politically Exposed Persons databases.
   • EDD Triggers: Cross-border volume, complex ownership structures (shell companies), high-risk jurisdictions (FATF grey/black lists).
2. Transaction Monitoring & Screening:
   • Automated Systems: Leverage AI/ML-driven platforms to detect unusual patterns, rapid transaction velocity, round-figure transfers, or repeated small payments (structuring).
   • Real-Time Alerts: Configure thresholds for immediate investigation by the AML team.
3. Ongoing Risk Assessment:
   • Periodic Reviews: Re-screen high-risk customers quarterly; conduct annual refresh for all other customers.
   • Dynamic Risk Scoring: Update scores based on new intelligence, e.g., adverse media, regulatory advisories, or changes in service usage.
4. Suspicious Activity Reporting (SAR):
   • Timely Filings: File SARs to the UAE FIU within prescribed timelines when reasonable grounds for suspicion arise.
   • Documentation & Audit Trail: Retain all internal investigations, decision-making notes, and SAR submission confirmations for at least five years.
5. Policy & Procedure Maintenance:
   • Regulatory Updates: Immediately incorporate changes from the CBUAE, SCA, and federal authorities, such as new sanctions or updated customer identification thresholds.
   • Staff Training: Deliver role-based training on AML policies, emerging typologies (e.g., gift card money-laundering), and the firm’s RBA.

Conclusion

By championing a risk-based approach, from meticulous KYC and real-time monitoring to proactive policy updates and staff training, a PSP are not only mandated to comply fully with UAE AML/CFT obligations, but also remain competitive through efficient, customer-centric operations.

In doing so, PSPs safeguard their institution’s reputation, mitigate legal and financial exposure, and build a resilient compliance culture essential for sustainable growth in the rapidly evolving payments landscape.

At eLegal Consultants, we offer PSPs a robust risk-based approach in ensuring that they avoid all obstacles and comply with aml rules and regulations. Contact us for a free consultation today.