Independent advisory for financial institutions, acquirers, issuers, fintechs and governments shaping the next generation of payments.
MENA Advisory is an independent international consultancy focused on the payments and fintech sector. We operate from Doha, London and Istanbul, advising financial institutions, major retailers, travel management companies, manufacturers and government entities across Europe, the Middle East and Africa.
Our principals have held senior roles at card schemes, acquirers, issuing banks and fintech businesses. We bring practitioner knowledge — not theoretical frameworks — to every engagement, covering the full payments value chain from strategy and product through to licensing, compliance and technology selection.
We work with clients at critical points of decision: entering a new market, responding to regulatory change, evaluating a technology investment, or building a new payments capability from scratch.
Work With UsComprehensive consultancy across the full payments and fintech lifecycle — from investment evaluation to operational transformation.
We conduct structured evaluations of payments and fintech businesses for investors, acquirers and strategic partners. Our assessments examine commercial performance, technology architecture, regulatory standing, fraud controls, and operational resilience — producing clear findings and risk-rated recommendations to support investment and acquisition decisions.
Discuss ThisWe help payments businesses and financial institutions define where to compete and how to win. Engagements typically cover market entry analysis, product-market fit assessment, competitive positioning, pricing strategy and go-to-market planning — grounded in deep sector knowledge across issuing, acquiring and digital payments.
Discuss ThisWe advise organisations moving from legacy infrastructure to modern payments architectures. This includes core system migration planning, API strategy, cloud readiness, scheme compliance (ISO 20022, PCI-DSS), vendor selection and programme management — translating technical complexity into commercially sound decisions.
Discuss ThisWe support businesses optimising their end-to-end payments stack — from acquiring and gateway selection to fraud management, chargeback reduction and alternative payment method integration. Our work spans domestic and cross-border payment flows, settlement optimisation and cost reduction across the full transaction lifecycle.
Discuss ThisFrom AI-driven commerce to tokenised assets, we provide expert guidance on the technologies and business models reshaping the payments industry.
Artificial intelligence is reshaping every layer of the payments stack — from real-time fraud decisioning and credit underwriting to customer authentication and dispute management. Financial institutions are moving beyond rules-based systems towards adaptive models that process transaction context, behavioural signals and external data simultaneously. The commercial benefits are material: reduced false positives, lower fraud losses, faster onboarding and improved customer retention. Advisory engagements typically focus on model selection, data governance, regulatory compliance (particularly explainability requirements under EU AI Act) and vendor evaluation.
Agentic commerce describes AI systems that autonomously execute purchasing decisions on behalf of users — searching, selecting, authorising and completing transactions without real-time human interaction. Visa's Trusted Agent Protocol, Mastercard's Agent Pay framework, Google's AP2 standard and Stripe's Machine Payments Protocol (launched March 2026) represent the emerging infrastructure layer for agent-initiated payments. The implications for merchants, acquirers and issuers are significant: existing authorisation models, fraud detection logic and chargeback frameworks were built for human-initiated transactions and require fundamental rethinking for agent-driven commerce.
Embedded finance describes financial services — payments, lending, insurance, banking — delivered within non-financial platforms and applications. The B2B embedded finance market reached $4.1 trillion in 2026 and is projected to reach $15.6 trillion by 2030. For software platforms, marketplaces and enterprise SaaS businesses, embedding payments and financial products creates new revenue streams, increases user retention and reduces customer acquisition costs. For banks and payment providers, it represents a distribution model that reaches customers at the point of commercial activity rather than at a traditional financial services touchpoint.
Tokenisation — representing financial assets as digital tokens on distributed ledger infrastructure — is moving from proof-of-concept to commercial deployment. The ECB completed preparatory work on a digital euro in late 2025, Hong Kong's Project Ensemble entered pilot phase, and significant momentum is expected throughout 2026. For enterprises, tokenisation offers a direct route to real-time settlement, eliminating the counterparty exposure that accumulates in T+2 cycles. For financial institutions, it introduces new questions around custody, interoperability between private and public ledger networks, and integration with TARGET and SWIFT systems.
Account-to-account payments are gaining material traction as instant payment infrastructure matures across Europe. For merchants, A2A payments offer lower cost of acceptance than card rails, real-time settlement, and strong authentication by default. For acquirers, they represent both a competitive threat and an opportunity to extend the value proposition beyond card processing. The EU Instant Payments Regulation (IPR) requires all eurozone banks to send and receive instant payments — receive capability was mandated from January 2025, send capability from October 2025.
114 countries representing 98% of global GDP are actively exploring central bank digital currencies. The European Central Bank completed its technical preparatory work on a digital euro in late 2025 and expects the enabling regulation in 2026. The UAE launched mBridge transactions with China in late 2025. The Bank of England established its Digital Pound Lab to test use cases with industry partners. These developments create immediate commercial and strategic questions for banks, payment processors, fintech businesses and corporates — from how to position relative to CBDC distribution roles to how CBDC infrastructure will interact with existing card and account-based payment systems.
Know Your Customer is not a one-time checkbox — it is a continuous obligation that spans onboarding, periodic review, and event-triggered reassessment. Customer due diligence (CDD) establishes the identity and purpose of the relationship; enhanced due diligence (EDD) applies when risk indicators — PEP status, high-risk jurisdiction, unusual transaction patterns — demand deeper scrutiny. Regulatory frameworks set the minimum bar: the Sixth Anti-Money Laundering Directive (6AMLD) tightened predicate offences and criminal liability across the EU, FATF Recommendations define global standards, the FCA's MLR 2017 obligations govern UK-regulated firms, and the Qatar Central Bank's AML/CFT framework imposes specific CDD requirements for firms operating in-country. Getting the programme right means knowing exactly which ruleset applies to each customer segment and geography.
Electronic KYC has transformed what was once a paper-heavy, branch-dependent process into a decisioning flow measurable in seconds. Document verification engines extract and validate data from passports, national ID cards, and driving licences; liveness detection confirms the document holder is present and alive, not a photograph or a deepfake. AI-assisted review layers on top to flag inconsistencies — mismatched fonts, cloned security features, metadata anomalies — that rule-based systems miss. The practical challenge for any payment firm is calibrating where automated approval stops and human review begins, because the cost of a false rejection sits in plain sight on the P&L, while the cost of a false pass is deferred and often much larger.
Onboarding a consumer and onboarding a corporate entity are fundamentally different exercises. For individuals, the process centres on identity document verification, sanctions and PEP screening, and source-of-funds assessment for higher-risk profiles. For businesses, the scope expands significantly: verifying the legal entity, understanding the ownership structure, and identifying ultimate beneficial owners (UBOs) down to the threshold defined by the relevant jurisdiction — typically 25% ownership or control. Complex structures involving holding companies, trusts, or nominees across multiple jurisdictions can require weeks of document collection and manual analysis. We help payment firms design KYC frameworks that are proportionate to their customer base and risk appetite, supported by technology integrations that lift straight-through processing rates without compromising regulatory integrity.
Anti-money laundering obligations on payment firms have expanded steadily as regulators recognise that money moves through payment infrastructure before it reaches any bank account. Transaction monitoring is the operational core of any AML programme, and the difference between a programme that works and one that merely satisfies an auditor is substantial. Rules-based systems — threshold triggers, velocity checks, geographic filters — are fast to deploy and easy to explain to regulators, but they produce high false-positive volumes and are trivially circumvented by sophisticated actors who know the thresholds. Machine learning-based systems identify behavioural patterns and typology signatures across large transaction populations, catching what rules miss, but they require clean data, regular model validation, and staff who can interrogate and explain alerts. Most mature programmes run both in parallel.
The regulatory environment is layered and jurisdiction-specific. 6AMLD extends criminal liability to legal persons and broadens the list of predicate offences. FinCEN's Bank Secrecy Act obligations govern US-dollar correspondent flows. The Qatar Central Bank's AML/CFT Instructions set explicit transaction monitoring requirements for licensed payment institutions, and the Central Bank of the UAE has published detailed guidance on wire transfer obligations and suspicious transaction reporting. FATF's Recommendation 16 — the travel rule — requires that originator and beneficiary information travels with wire transfers above threshold, and FATF's Virtual Assets guidance extends this to crypto transactions, a requirement now being operationalised by exchanges and custodians globally. Real-time payment rails introduce a specific tension: funds settle in seconds, leaving no practical window to hold and investigate a transaction before it completes. Effective AML on faster payments relies on pre-transaction scoring and post-transaction monitoring with rapid account action capability.
Suspicious Activity Reports and Suspicious Transaction Reports are the formal output of a functioning monitoring programme, but filing volume is a poor measure of programme quality. Regulators are increasingly focused on the quality of SAR narratives, the timeliness of filing, and whether the firm has a genuine typology library that reflects its actual business model and customer base. Correspondent banking de-risking — where banks exit relationships with payment firms rather than manage the risk — remains a live issue for firms that cannot demonstrate the rigour of their AML controls. We work with payment firms to design and stress-test transaction monitoring frameworks, build typology libraries tuned to specific business models, improve alert management workflows, and prepare the documentation that satisfies both internal audit and external regulatory examination.
Merchant onboarding is where acquirers and payment facilitators make their most consequential risk decisions, and where the commercial pressure to move fast conflicts most directly with the obligation to know who you are boarding. The traditional acquirer process — application intake, KYB documentation, business model review, processing history verification, risk scoring, pricing committee sign-off, agreement execution — routinely took two to four weeks and required significant manual effort. Modern payment facilitators running sub-merchant onboarding have compressed this to minutes through automation, straight-through processing logic, and real-time data enrichment. The gap between these two models represents both a commercial opportunity and a risk management challenge: speed benefits legitimate merchants, but it also shortens the window available to detect fraud and misrepresentation.
Good underwriting is built on three pillars: identity (is this entity and its principals who they claim to be), business model (does the described activity match the MCC, the website, the processing history, and the expected customer profile), and financial risk (what is the likely chargeback exposure and does the reserve structure adequately cover it). KYB goes beyond verifying company registration — it requires beneficial ownership identification, director background checks, sanctions screening, and in many cases a review of the actual product or service being sold. Processing history from prior acquirers, where obtainable, is one of the most predictive inputs; a merchant leaving one acquirer rarely does so for benign reasons. Risk tiering determines the ongoing monitoring intensity, the reserve level, and in some cases the pricing structure applied.
Common failure points in merchant onboarding include identity fraud (fabricated or stolen business identities used to obtain a merchant account), misrepresentation of business model (a high-risk operation boarding under a low-risk MCC), and straw merchants — entities established specifically to process transactions on behalf of another, undisclosed business. These are not edge cases; they account for a disproportionate share of acquirer losses and scheme fines. We work with acquirers and PayFacs to design onboarding workflows that lift STP rates on clean applications while applying targeted friction where the risk indicators warrant it, including integration with company registry APIs, adverse media monitoring, website content analysis, and processing behaviour analytics that flag anomalies post-boarding before losses crystallise.
High-risk acquiring is a specialist discipline, not a variation on standard acquiring with a higher price tag. The defining characteristic of a high-risk merchant is that one or more risk dimensions — chargeback propensity, regulatory complexity, reputational exposure, or restricted MCC classification — places it outside the appetite of mainstream acquirers. The principal verticals are well-established: online gaming and gambling, forex and CFD brokers, travel and ticketing with their extended fulfilment windows, nutraceuticals and subscription businesses using negative option billing, adult content, firearms accessories, and crypto exchanges. Each presents a distinct risk profile. A gambling operator in a regulated market with a Gambling Commission licence and solid chargeback history is a very different credit risk to an unlicensed gaming site processing through a nominee merchant. Conflating the two is a pricing error as much as a risk management failure.
The risk management framework for high-risk portfolios is more intensive than for standard merchant books. Visa's VDMP (Visa Dispute Monitoring Programme) and Mastercard's ECM (Excessive Chargeback Merchant) programme impose escalating fines and ultimately disqualification for merchants whose chargeback ratios breach programme thresholds — typically 0.9% to 1.0% of transactions by count. Rolling reserves — funds withheld from merchant settlement for a defined period, typically six months on a rolling basis — are the primary structural tool for managing credit exposure on high-risk accounts. Enhanced monitoring means weekly or daily review of chargeback volumes, transaction patterns, and refund rates rather than the monthly cadence applied to standard merchants. Real-time chargeback alert services through Verifi and Ethoca allow merchants and acquirers to resolve disputes before they formally enter the scheme dispute cycle.
The commercial dynamics of high-risk acquiring reflect the genuine cost of the risk carried. Processing fees run significantly higher than for standard merchant categories — MDRs of 3% to 7% are common in the riskiest verticals — and the spread between acquiring income and risk cost compresses rapidly if the portfolio is not actively managed. Most banks decline this segment entirely, either because internal policy prohibits certain MCCs outright or because the reputational and regulatory scrutiny is assessed as disproportionate to the return. The acquirers that operate here — specialist high-risk acquirers, certain offshore banks, and some Electronic Money Institutions — do so because they have built the underwriting capability, the monitoring infrastructure, and the regulatory relationships required to manage it profitably. We help firms assess whether high-risk acquiring is a viable strategic extension and, where it is, build the frameworks to manage it without importing uncontrolled liability.
Card acceptance infrastructure has changed more in the past five years than in the preceding two decades. The traditional model — a dedicated POS terminal connected to an acquirer via a payment application — is being supplemented and in some segments displaced by SoftPOS solutions that turn a merchant's Android device into a contactless acceptance point, eliminating terminal hardware costs. PIN on Glass, now certified under PCI CPoC and EMVCo standards, extends SoftPOS to transactions requiring cardholder verification, removing the last functional gap between dedicated hardware and software-only acceptance. Meanwhile, the omnichannel expectation — that a transaction started online can be completed in-store, and that a return processed at a till can reference an online purchase — requires acceptance infrastructure that treats all channels as a single transaction environment rather than separate stacks with separate data silos.
The economics of card acceptance reward merchants who understand the components of their cost. Interchange optimisation — submitting the transaction data that qualifies for lower interchange tiers — can meaningfully reduce effective rates, particularly for B2B merchants who can submit Level 2 and Level 3 data on corporate card transactions. Least-cost routing for dual-network debit cards allows merchants and acquirers to select the lower-cost network in real time; in markets where this is permitted, LCR typically reduces debit acceptance costs by 20–40 basis points. Surcharging rules vary by market and card type — the EU prohibits surcharging on consumer cards, while other markets permit it within defined limits. Understanding the full interchange and scheme fee schedule, not just the headline MDR, is foundational to any meaningful cost-of-acceptance analysis.
The MENA region presents a distinct acceptance context. Cash remains the dominant payment method across much of the Gulf and North Africa, and electronic acceptance penetration is a policy priority for several governments. QR code acceptance — both static and dynamic — has gained traction as a low-cost entry point for smaller merchants who cannot justify terminal hardware investment. Government-mandated acceptance schemes, including requirements to accept local debit schemes and BNPL instruments, are increasingly shaping the acceptance technology choices available to acquirers and merchants. Unattended payments — EV charging stations, kiosks, vending machines, parking — represent a fast-growing acceptance category with specific requirements around transaction authorisation, contactless limits, and fallback behaviour when connectivity is intermittent.
A chargeback is not simply a refund — it is a formal scheme dispute process with defined time limits, evidentiary requirements, and financial consequences that extend well beyond the value of the original transaction. The lifecycle begins when a cardholder contacts their issuing bank to dispute a transaction. The issuer reviews the claim and, if it meets the threshold for a dispute, initiates a chargeback by debiting the acquirer. Reason codes define the claimed basis for the dispute: Visa organises its dispute categories around fraud, authorisation, processing errors, and consumer disputes; Mastercard uses a parallel family structure. Each reason code carries different time limits — typically 120 days from transaction processing date for fraud disputes — and requires different evidence to contest. Failure to respond within the window forfeits the right to dispute regardless of the merits.
A significant proportion of chargebacks received by merchants are avoidable. Poor transaction descriptors — where the name appearing on the cardholder's statement does not match the merchant they recognise — drive friendly fraud disputes where no genuine fraud occurred. Missing or failed CVV and AVS checks remove the issuer's incentive to absorb fraud liability. Absent 3DS authentication means the merchant retains fraud liability that 3DS would have shifted to the issuer — the liability shift is one of the most commercially significant features of the 3DS protocol. For merchants with elevated chargeback ratios, the consequences escalate through scheme monitoring programmes: initial thresholds trigger notification and incremental fines, breaching higher thresholds can result in monthly fines of tens of thousands of pounds, and sustained breach leads to disqualification — the loss of the ability to accept that scheme's cards. Pre-arbitration and arbitration, where disputes are escalated to the scheme for a binding decision, carry additional fees of $250–$500 per case regardless of outcome.
Effective dispute management combines technology, process, and evidence discipline. Chargeback management platforms centralise incoming disputes across multiple acquirers, automate reason code analysis, and manage response deadlines. Chargeback alert services — Verifi's CDRN and Ethoca's alerts — notify merchants of pending disputes before they formally become chargebacks, providing a short window to issue a refund and prevent the dispute progressing. Visa's Order Insight and Mastercard's Consumer Clarity programmes allow merchants to push transaction detail — receipt data, delivery confirmation, customer communications — directly to the issuer's dispute interface, resolving many cardholder queries before a dispute is ever raised. Representment — contesting a chargeback with compelling evidence — can achieve win rates of 40–70% on winnable reason codes when the evidence package is correctly assembled. We work with merchants and acquirers to build dispute programmes that reduce avoidable chargebacks at source, automate representment workflows, and manage scheme programme compliance before ratios breach critical thresholds.
Payments regulation is changing faster than at any point in the past decade. We track the changes that matter and advise clients on practical compliance and commercial response.
PSD3 builds on PSD2 with stronger fraud liability rules, enhanced open banking rights and new provisions for payment account access. The accompanying PSR creates directly applicable rules across member states, removing the inconsistency of national transposition for core requirements.
All eurozone payment service providers must now be able to both receive and send instant credit transfers in euro. Pricing must be equivalent to standard credit transfers. The April 2026 reporting deadline requires PSPs to submit data on service availability and adoption rates to national competent authorities.
ISO 20022 is becoming the default messaging standard for high-value and cross-border payment systems globally. As SWIFT reduces tolerance for MT-to-MX translation and tightens validation rules, institutions with incomplete migration face growing operational and compliance risk. Structured data quality is now a baseline requirement.
The FCA's updated safeguarding framework strengthens requirements for payment institutions and electronic money institutions around how customer funds are protected, reconciled and reported. Greater emphasis on auditability, record-keeping and insolvency preparedness reflects lessons from recent PI failures and increased FCA supervisory focus on fund protection.
The EU AML Package creates a new authority — the Anti-Money Laundering Authority (AMLA) — with direct supervisory powers over high-risk financial institutions. The package harmonises AML/CFT requirements across member states, introducing a single EU rulebook and removing the inconsistencies that currently allow regulatory arbitrage between jurisdictions.
The EU AI Act classifies certain AI systems used in financial services — particularly credit scoring, fraud detection and customer risk assessment — as high-risk, requiring conformity assessments, technical documentation, human oversight mechanisms and transparency obligations. Payment and credit providers using AI models for real-time decisioning must assess their compliance position ahead of the August 2026 deadline.
The ECB completed its technical and preparatory work on a digital euro in late 2025 following the investigation phase. The enabling regulation, currently under consideration by the European Parliament and Council, will define the legal framework for issuance, distribution through intermediaries, holding limits and the relationship between a digital euro and commercial bank deposits.
The Payment Systems Regulator's mandatory reimbursement rules for Authorised Push Payment (APP) fraud require sending and receiving PSPs to share responsibility for reimbursing fraud victims. With a £85,000 maximum reimbursement cap, the rules create significant commercial exposure for smaller payment institutions and have prompted industry-wide reviews of fraud controls and customer due diligence.
Strong Customer Authentication requires payment transactions to be verified using at least two independent factors from the categories of knowledge, possession, and inherence. Under PSD2 and now PSD3, the obligation falls on the issuer for card transactions authenticated via 3DS, with liability shifting away from the merchant when 3DS is successfully applied. The commercial impact is significant: merchants who have not implemented 3DS correctly face higher fraud dispute rates and carry liability that authenticated transactions would transfer to the issuer. Exemptions — transaction risk analysis, low-value transactions, trusted beneficiaries — must be applied correctly to avoid unnecessary friction while maintaining compliance.
FATF Recommendation 16 requires that originator and beneficiary information travels with wire transfers above threshold — $1,000 / €1,000 in most jurisdictions. The same obligation now extends to virtual asset transfers under FATF's updated guidance, requiring virtual asset service providers (VASPs) to collect, hold, and transmit customer information on crypto transactions. Implementation across the VASP sector has been uneven, with the sunrise problem — the inability to send required data to a counterparty that has not yet implemented the rule — creating compliance gaps. For payment firms with cross-border wire transfer volumes or crypto-related business, travel rule compliance is both a regulatory obligation and an ongoing operational challenge as counterparty infrastructure matures.
End-to-end advisory on card programme design, processor selection, scheme membership, interchange optimisation and portfolio management for both consumer and commercial card programmes.
Architecture and deployment advisory for digital payment platforms, mobile wallets, super-app payment integration and next-generation checkout experiences across web and in-app environments.
Omnichannel payment orchestration covering gateway selection, payment method mix, 3DS2 implementation, checkout conversion optimisation and cross-border payment acceptance.
Commercial payment advisory covering virtual card programmes, eInvoicing under the EU mandate, supply chain finance integration, AP/AR automation and business payment platform strategy.
Cross-border payment strategy for remittance operators and digital money transfer services, covering corridor economics, banking access, FX management, compliance and licence requirements.
Virtual card solutions for travel management companies, airline and hotel payment programmes, lodging card integration, TMC rebate structures and travel wallet product design.
Practical advisory on AI deployment in payments — fraud, underwriting, customer service — and distributed ledger applications including tokenised assets, smart contracts and cross-border settlement.
PCI-DSS programme management, AML/CFT framework design, KYC/PEP process optimisation, fraud strategy, chargeback management and regulatory compliance across multiple jurisdictions.
We work with a range of organisations at significant points of commercial and strategic change — from financial institutions entering new payments markets to corporates reviewing their payment costs and risk exposure.
Partnering with MENA Advisory provided us with the clarity and direction we needed to scale our operations efficiently. Their practitioner knowledge of the payments sector — and their proactive approach in identifying risks before they became problems — made them an invaluable partner in our growth journey.
Working with MENA Advisory on our B2B payments project was an outstanding experience. Their team brought deep understanding of the complexities involved, and delivered tailored solutions that directly addressed our needs — leading to significant operational efficiencies and measurably better outcomes for our clients.
Visa's Trusted Agent Protocol, Mastercard's Agent Pay and Stripe's Machine Payments Protocol represent the opening moves in what will become a fundamental restructuring of how authorisation works. We examine the implications for processors, issuers and merchants.
Read InsightPolitical agreement on PSD3 is expected in the first half of 2026, with national transposition to follow. We break down the material changes from PSD2, the new PSR provisions and what financial institutions should be doing now to prepare.
Read InsightThe EU Instant Payments Regulation has created the infrastructure. Open banking has created the access layer. The question for merchants and acquirers is where account-to-account payments genuinely improve the economics — and where cards remain the better option.
Read InsightThe ECB completed its technical preparatory work on a digital euro in late 2025. With the enabling regulation expected in 2026, payment service providers operating in the eurozone need to understand the distribution model, holding limits and the commercial implications of acting as an intermediary.
Read InsightHigh-risk AI system requirements under the EU AI Act apply from August 2026. For payment and credit providers using AI in fraud detection, credit scoring or customer risk assessment, the conformity assessment and documentation requirements are more demanding than most compliance teams have planned for.
Read InsightThe ECB's planned DvP pilot connecting trading platforms and TARGET services in Q3 2026 marks a significant step towards tokenised settlement becoming operational infrastructure. We examine the timeline, the interoperability challenges and the commercial implications for financial market participants.
Read InsightOpen Banking is expected to be a significant catalyst for growth in instant B2B monetary transactions, with fintechs offering tools that empower small and medium-sized businesses to grow without incurring significant costs.
Read InsightWhether you are evaluating a fintech investment, addressing a digital transformation, or looking to optimise your payment infrastructure — our team is ready to engage.