Case Studies

Financial Services
Building a Control Spine for a UAE Payment Institution

Overview

A UAE-based payment services provider (“the PSP”) had grown rapidly over five years, offering merchant acquiring, payment links and recurring billing to SMEs across the region. The business was licensed as a payment institution and connected to multiple banks, card schemes and third-party processors.

Growth had outpaced its control environment. Policies existed, but day-to-day practices, monitoring and evidence were inconsistent. A recent query from the regulator, combined with tougher questions from a key banking partner, prompted the board to seek external support.

Marensa Advisory was engaged to design and implement a practical governance, risk and compliance framework, a “control spine” that could support further growth, satisfy the regulator and reassure banking partners.

Client profile

UAE-headquartered payment institution
Services: merchant acquiring, payment links, recurring billing, limited wallet functionality
Clients: primarily regional SMEs in retail, services and e-commerce
Connections: several local banks, international card schemes, third-party processors
Staff: lean central team with outsourced functions (IT, some operations, back office)

Key challenges

Patchwork policies and procedures
The PSP had a collection of AML, KYC, operational and IT policies produced at different points in time – often to satisfy a bank or auditor request. There was no single, coherent framework. Staff weren’t always sure which version applied.
Merchant onboarding inconsistencies
Different teams and partners collected different information from merchants. Some SMEs were onboarded quickly with strong documentation; others had incomplete or poorly evidenced CDD, especially older accounts opened in the early growth phase.
Weak monitoring and MI
Transaction monitoring relied heavily on vendor tools and rule sets inherited from processors. Alerts were handled, but there was no robust documentation of scenarios, thresholds, rationales or periodic tuning. Board MI was limited to high-level volume and chargeback statistics.
Operational risk not clearly owned
Incidents (downtime, failed batches, reconciliation breaks) were fixed, but not always documented or analysed. Root causes and lessons learned were not consistently tracked or fed back into process design.
Regulator and banking partner expectations rising
The regulator had started requesting more structured information on governance, AML and operational resilience. A key banking partner asked for a formal risk and controls description as part of its periodic review.

Marensa’s approach

Marensa’s mandate was to create a control environment that could be described, operated, and evidenced – without paralysing a still-entrepreneurial business.

1. Diagnostic and “as-is” map

We began with a focused diagnostic over six weeks:

Reviewed all existing policies, procedures and registers
Walked through merchant onboarding, underwriting, settlement and refunds with operational staff
Sampled CDD and EDD files across different merchant segments and onboarding dates
Examined incident logs, reconciliations, monitoring alerts and exception handling
Interviewed senior management about risk appetite, commercial pressures and regulatory interactions

The output was an “as-is” control map, highlighting strengths, gaps and areas where practice diverged from policy.

2. Framework redesign – simple, integrated and risk-based

Rather than layering more documents on top of confusion, we:

Consolidated policies into a core suite: governance, AML/CFT & sanctions, merchant onboarding and underwriting, transaction monitoring, operational risk & incident management, outsourcing, and business continuity.
Structured each policy around three questions: what must we do, who does it, and how do we prove it?
Ensured that references to regulatory expectations, card-scheme rules and banking-partner requirements were clear but not overwhelming.

We also helped management articulate a risk appetite statement in plain language, with specific references to fraud loss tolerance, merchant risk categories, and operational downtime.

3. Merchant onboarding and CDD upgrade

Merchant onboarding was the heart of the PSP’s risk. We worked with the commercial and operations teams to:

Define merchant risk categories (e.g. low, standard, higher risk) based on sector, geography, volumes and business model.
Set minimum CDD and EDD documentation requirements per category, including clear expectations for ownership structures, source-of-funds/wealth (where relevant) and transactional behaviour.
Create standardised checklists and file structures for new merchants, including digital workflows where possible.
Design an initial remediation programme for legacy merchants – prioritised by volume and risk – to update and complete files without disrupting relationships.

This approach balanced regulatory expectations with commercial realities; not every small merchant was treated as if it were a high-risk cross-border PSP, but higher-risk segments received deeper scrutiny.

4. Transaction monitoring and financial crime controls

The PSP already used vendor tools for monitoring, but lacked a clear design rationale and documentation. We:

Identified the current scenarios and thresholds in use, and mapped them to specific risks (e.g. unusual chargeback patterns, velocity, country risk, MCC anomalies).
Defined a scenario library describing each rule, its purpose, escalation path and potential tuning levers.
Helped the MLRO and operations team agree on alert-handling standards: what must be documented for each alert type, what gets escalated, and how decisions are recorded.
Recommended periodic reviews of rule effectiveness, including simple metrics (alerts vs. true cases, false positives, time to close).

We also strengthened sanctions and screening practices for merchants and certain transaction flows, ensuring consistent use of lists and clear handling of potential matches.

5. Operational risk, incidents and continuity

On the operational side, we introduced:

A simple operational risk register with clear owners for key risks (processing failures, reconciliation breaks, data errors, vendor outages).
A structured incident log covering both internal incidents and merchant-impacting events, with root-cause analysis and corrective actions.
Minimal but meaningful business continuity and disaster recovery documentation linked to the PSP’s actual infrastructure and vendor arrangements.

This gave management and the board visibility over recurring issues and strengthened the PSP’s narrative around operational resilience.

6. Governance, MI and external communication

Finally, we worked with the CEO, MLRO and COO to:

Clarify the roles of management and board in risk, compliance and incident oversight.
Design a quarterly board MI pack: merchant risk metrics, CDD status, monitoring outcomes, incidents, fraud trends and remediation progress.
Prepare a concise written description of the PSP’s control environment for use with the regulator and banking partners.

This documentation was not a marketing brochure; it was a straightforward description that could be backed up with evidence.

Outcomes

Within approximately six months:

The PSP had a single, coherent control framework that staff could understand and follow.
Merchant onboarding became more consistent, with clearer risk-tiering and better-quality CDD files, especially for new merchants and higher-risk segments.
Transaction-monitoring scenarios and sanctions controls were documented, tuned and supported by better alert-handling records.
Operational incidents were logged, analysed and used to drive improvements rather than simply being “fixed and forgotten”.
The board received structured MI, allowing it to challenge management and support investments in controls where needed.
The PSP was able to respond to regulatory queries and banking-partner reviews with organised documentation and a clear narrative of improvements.

While no framework can eliminate all risk, the organisation moved from “we know we’re doing things, but can’t always show it” to “we can explain, demonstrate and improve our controls with confidence”.

Why it matters

Payment institutions operate in a space where regulatory expectations, bank requirements and customer demands all intersect. Fast growth often comes at the cost of documentation and discipline. The above demonstrates how with the assistance of Marensa Advisory, a growing PSP can build a practical control spine, governance, AML, monitoring, operational risk and MI, that supports growth, reassures regulators and partners, and gives the board a clear view of the risks it is taking.