In a Nutshell
- Common offences represent a systemic channel risk that must be addressed in the board-approved enterprise-wide risk assessment under Cabinet Resolution No. 134 of 2025, Article 5.
- The scale of common offence proceeds globally, derived from street-level criminal networks rather than single high-value transactions, means that under-detection carries aggregate regulatory exposure across the institution’s entire channel portfolio.
- Boards that approve monitoring systems designed only for high-value transaction detection are approving systems that structurally fail to detect the most prevalent ML typology in UAE retail channels.
- Three lines of defence should each address channel risk explicitly; absence of first-line channel-level monitoring rules is a governance gap that internal audit should test.
Common offences do not present themselves as single large suspicious transactions. They appear in aggregate, distributed across high-volume channels through networks of ordinary-looking accounts. Boards that have approved monitoring systems calibrated for high-value wire transfers and PEP-linked transactions have approved systems that are structurally designed to miss them. This is a governance failure, not an operational one.
What the Board Must Own in the Enterprise-Wide Risk Assessment
Cabinet Resolution No. 134 of 2025, Article 5 requires regulated entities to conduct an enterprise-wide risk assessment that explicitly incorporates channel-level risk from predicate crime exposure. The board should ensure that the enterprise-wide risk assessment remains current and is reviewed whenever material changes affect the institution’s risk profile.
For an institution with significant exposure to cash-intensive business accounts, peer-to-peer payment infrastructure, or money transfer services, the enterprise-wide risk assessment must address:
- The volume of cash-intensive business accounts in the portfolio and the sector-level benchmarking methodology applied to assess their revenue plausibility.
- The proportion of P2P payment volume that is monitored at the network level rather than the account level, and the gap this creates.
- The identification controls applied to detect unregistered IVTS operators among the customer base.
- The monitoring rule calibration for sub-threshold structuring patterns across related accounts.
- The training programme is aimed at ensuring that first-line staff recognise common offence indicators in face-to-face cash transactions.
Why Common Offence Governance Is Different from High-Value Transaction Governance
The governance framework for high-value transaction risk is straightforward: a single large transfer generates a monitoring alert, a compliance analyst reviews it, and a filing decision is made. The governance framework for common offence risk requires something fundamentally different: a system capable of identifying patterns distributed across hundreds of individually unremarkable accounts, processed through the same channels as millions of legitimate customer transactions.
This difference has capital implications. Building network-level monitoring capability requires investment in analytics infrastructure that goes beyond standard transaction monitoring rule sets. It requires data integration across accounts, counterparty databases, and beneficial ownership records. It requires analyst skills calibrated to interpret network-level patterns rather than single-account anomalies.
Boards approving compliance technology budgets should be asking not just whether a monitoring system has been deployed, but whether it is capable of detecting the common offence patterns that the institution’s channel risk profile generates. The answer to that question should be documented in the enterprise-wide risk assessment and tested by internal audit.
Three Lines of Defence for Common Offence Channel Risk
← scroll to see full table →
| Line | Specific Common Offence Responsibilities |
|---|---|
| First Line | Branch staff trained to identify common offence indicators in cash transaction interactions; relationship managers applying channel-specific monitoring rules to cash-intensive business portfolios; front-line STR escalation procedures for structuring patterns observed in real time |
| Second Line | Owning the network-level monitoring rule set; conducting quarterly rule effectiveness reviews; ensuring enterprise-wide risk assessment addresses channel risk; reporting channel-level AML performance metrics to the board, including cash deposit benchmarking and P2P structuring detection rates |
| Third Line | Independently testing network monitoring capabilities; sampling cash-intensive business account benchmarking calculations; reviewing training programmes for first-line common offence indicator recognition; reporting governance gaps to the board audit committee |
What the UAE National Risk Assessment Says About Channel Risk
The UAE’s 2024 National Risk Assessment identifies cash-intensive sectors and informal transfer networks as among the highest-rated money laundering vulnerabilities. This supervisory priority document informs examination expectations. Institutions operating in high-volume cash or payment transfer channels will receive heightened scrutiny on their channel-level monitoring controls, and boards should expect this scrutiny to be translated into specific examination questions about monitoring system design.
The 2021 NAMLCFTC Joint Guidance on Satisfactory and Unsatisfactory Practice identified source-of-funds identification failures and inadequate risk category assignment as the most common examination findings for DNFBPs. A board that has received this guidance through its supervisory engagement and has not updated its enterprise-wide risk assessment or monitoring calibration accordingly is carrying a documented governance gap.
Accountability When Channel Risk Controls Fail
Federal Decree-Law No. 10 of 2025, Article 17 empowers supervisory authorities to restrict the powers of board members, executives, and managers proven responsible for a compliance violation. When a common offence scheme is identified through law enforcement action and the institution’s monitoring systems demonstrably failed to detect it, the governance question is who was responsible for the monitoring system’s design, calibration, and testing. That trail of accountability leads directly to the second line and, ultimately, to the board that approved the enterprise-wide risk assessment and received management reporting on monitoring effectiveness.
GRC Advisors: Enterprise-Wide Risk Governance for Channel Risk
GRC Advisors works with boards and senior leadership to build enterprise-wide risk assessment frameworks that address common offence channel risk with the specificity and analytical rigour that supervisors expect. Our advisory services cover risk methodology design, monitoring system governance reviews, internal audit programme development for AML channel risk, and board reporting framework design. Contact GRC Advisors to discuss how your organisation can close the channel risk governance gap that common offence typologies exploit.
Frequently Asked Questions
What specific channel risk information should appear in the board's enterprise-wide risk assessment?
The assessment must identify each channel through which the institution’s products are delivered and assess the ML risk associated with that channel, including common offence exposure. For a retail bank, this means explicit coverage of cash deposit services (risk level, benchmarking methodology, monitoring rule coverage), P2P payment infrastructure (network monitoring capability, account linkage detection), and any MSB or remittance services (MSB register verification process, IVTS indicator monitoring). The assessment should conclude with a channel-level risk rating and a mapped set of controls for each channel.
How frequently should the enterprise-wide risk assessment be reviewed for channel risk changes?
Cabinet Resolution No. 134 of 2025 requires review whenever material changes occur. For channel risk, a material change includes a significant increase in cash-intensive business onboarding, the launch of new P2P payment products, changes in the jurisdictional composition of the customer base, or new NRA findings that affect channel risk ratings. Annual review as a minimum is standard governance practice; trigger-based review is required in addition whenever a material change event occurs.
What should an internal audit test when reviewing common offence channel risk governance?
Internal audit should test whether monitoring rules specific to common offence patterns exist and are documented; whether those rules are being applied to the relevant account populations; whether alert dispositions for common offence alerts are documented with adequate rationale; whether cash-intensive business account benchmarking calculations are current and defensible; and whether first-line staff training includes common offence scenario content. The audit report should quantify gaps and recommend specific remediation with measurable milestones.
