In a Nutshell
- Offshore transfers exploit jurisdictional disparities; effective governance requires a country risk framework that the board approves, monitors, and refreshes at each FATF plenary cycle.
- Personal liability under Federal Decree-Law No. 10 of 2025 extends to board members and executives proven responsible for correspondent banking due diligence failures.
- Boards processing cross-border payments without documented country risk assessment processes are carrying an unquantified and undefended risk.
- Three lines of defence must each have specific offshore transfer responsibilities; gaps in second-line correspondent bank review are a common examination finding.
The UAEFIU Strategic Analysis Report, published in May 2025, identified high-risk jurisdiction routing and financial institution layering as active money laundering and terrorism financing methods observed in UAE-based data. This is not a theoretical risk assessment; it reflects actual patterns in the UAE financial system. Boards at institutions processing cross-border payments need to ask whether their governance framework is designed to detect and prevent these patterns or merely to document them after the fact.
The Governance Accountability Chain for Offshore Transfer Risk
Federal Decree-Law No. 10 of 2025, Article 17, empowers supervisory authorities to restrict the powers of board members, executives, and managers proven responsible for AML compliance failures. For offshore transfer risk, the governance accountability chain runs through the country risk assessment framework that the board approves, the correspondent banking due diligence programme that the second line owns, and the transaction monitoring calibration that produces alerts the compliance function acts on.
An institution whose country risk matrix has not been updated following FATF plenary decisions, whose correspondent banking due diligence has not been reviewed in the past year, and whose monitoring rules have not been back-tested against offshore transfer typologies is carrying three identifiable and documentable governance gaps. When a regulatory examination surfaces any of these, the accountability question reaches the board and senior management.
Board-Level Country Risk Governance
The country risk assessment framework is a board-level governance tool, not only a second-line operational procedure. The board must approve the methodology, understand the risk ratings applied to jurisdictions material to the institution’s business, and require management to report changes in jurisdiction ratings and the resulting impact on the institution’s exposure profile.
The governance expectation is that the country risk matrix is a live document, not a periodic compliance exercise. FATF plenary decisions are published on a defined schedule; the institution should have an internal procedure that requires the matrix to be reviewed and updated within 30 days of each plenary. This procedure should be documented, tested by internal audit, and reported against to the board.
Correspondent Banking: The Governance Gap That Supervisors Find
Correspondent banking relationships represent one of the most structurally complex governance challenges in offshore transfer risk management. The UAE institution provides access to the international payment system to respondent institutions whose customer base it cannot fully see. Payable-through account risks mean that offshore transfers may reach the UAE institution carrying only the respondent bank’s identity, not the underlying customer who initiated the payment.
Board-level governance of correspondent banking requires: annual review of all respondent institutions’ due diligence results; specific board consideration of any respondent institution that is subject to regulatory enforcement, has been derisked by peer institutions, or operates in a jurisdiction that has been reclassified as high risk; and a formal policy on what circumstances trigger relationship exit from a correspondent banking arrangement.
Second-line ownership of the correspondent banking due diligence programme must be explicitly assigned and its results reported to senior management and the board. Where the second line has not reviewed a correspondent relationship in more than twelve months, the governance gap is documentable.
Three Lines of Defence for Offshore Transfer Risk
← scroll to see full table →
| Line | Specific Offshore Transfer Responsibilities |
|---|---|
| First Line | Applying country risk ratings during cross-border transactions at the point of processing, executing EDD procedures where required, escalating correspondent chain opacity and beneficial ownership gaps to compliance, and maintaining payable-through account controls on correspondent credits |
| Second Line | Owning the country risk matrix and ensuring timely updates following the FATF plenary decisions; conducting annual correspondent banking due diligence reviews; monitoring STR, HRC, and HRCA filing volumes and quality for cross-border activity; reporting geographic risk concentration to the board with recommended exposure limits |
| Third Line | Independent testing of country risk matrix currency and accuracy; sampling of EDD files for offshore transfer customers; reviewing correspondent banking due diligence documentation and coverage; testing monitoring rule calibration for offshore transfer typologies; reporting governance gaps to the board audit committee |
Where Regulatory Liability Falls
Administrative penalties under Cabinet Resolution No. 71 of 2024 may reach AED 500,000 per violation for certain EDD and monitoring failures. Criminal penalties under Federal Decree-Law No. 10 of 2025 for ML convictions reach AED 5,000,000 for natural persons and AED 100,000,000 for legal persons. These penalties apply at the institutional level; personal liability under Article 17 of the Decree-Law may reach board members and executives proven responsible.
The removal of any statute of limitations for ML/TF/PF offences under Article 37 of Federal Decree-Law No. 10 of 2025 means that governance failures in offshore transfer controls from previous years remain perpetually actionable. An institution that processed offshore transfers through correspondent relationships without adequate due diligence in 2022 cannot treat that period as closed; if those transfers are implicated in an enforcement action that surfaces today, the governance trail from that period is reviewable.
What Board Reporting Should Cover for Offshore Transfer Risk
- Country risk matrix update frequency and the list of jurisdictions reclassified since the last board report.
- Correspondent banking due diligence completion rates and a list of respondent institutions not reviewed within the past twelve months.
- STR, HRC, and HRCA filing volumes for cross-border activity, with trend analysis and any concentration in specific jurisdictions or transfer types.
- EDD completion rates for offshore transfer customers and the proportion of those customers where beneficial ownership remains unverified.
- Monitoring rule performance metrics for offshore transfer typologies, including back-testing results against known typologies.
- Any derisking decisions taken on correspondent banking relationships and their rationale.
GRC Advisors: Offshore Transfer Risk Governance
GRC Advisors works with boards and senior management to build governance frameworks that address offshore transfer risk with the specificity and evidence quality that UAE supervisors expect. Our advisory services include country risk framework design, correspondent banking governance reviews, board reporting framework development, and remediation support following examination findings on cross-border payment risk. Contact GRC Advisors to discuss how your board can take defensible governance ownership of offshore transfer risk.
Frequently Asked Questions
Does the board need to approve individual correspondent banking relationships?
Individual relationship approval is not typically a board-level decision; it is a management decision. The board’s governance responsibility is to approve the policy framework governing correspondent banking relationships, including the due diligence standards, the review frequency, and the circumstances that trigger relationship exit. Material relationship exits, particularly those arising from regulatory risk, should be reported to the board.
How should the board assess whether its offshore transfer monitoring is effective?
The board should require the second line to present, on a defined frequency, evidence that monitoring rules for offshore transfer typologies are producing alerts of appropriate quality: that the false positive rate on offshore transfer alerts is within a managed range, that high-risk alerts are being reviewed within the institution’s defined timelines, and that STR filings for offshore transfer activity are proportionate to the institution’s cross-border payment volumes and geographic risk exposure. Internal audit should independently verify these claims.
What governance changes are required when the UAE is named as a FATF concern or when a jurisdiction material to the institution's business changes status?
Any change to the FATF designation status of jurisdictions material to the institution’s business requires an immediate review of the country risk matrix, an assessment of the accounts, correspondent relationships, and transfer patterns affected by the change, and a report to the board on the revised exposure profile and any enhanced controls required.
