GCC Instant Payments: SARIE, Aani, QPAY and What Comes Next

Instant payment rails across the GCC have passed the point at which they can still be treated as emerging infrastructure. SARIE in Saudi Arabia processed over 1.5 billion transactions in 2025, recording 42% annual volume growth. Aani in the UAE reached 180 million transactions in its first year of commercial operation. Qatar's QPAY domestic instant network is live. Bahrain's FAWRI+ has been operational since 2015 and remains one of the more mature instant rails in the region. For payment firms operating in the GCC, the question is no longer whether instant rails matter: it is whether your connectivity, compliance, and fraud controls are calibrated to the specific operational characteristics of each.

This article covers the architecture and current status of each major GCC instant rail, the fraud and AML challenges that irrevocability creates, liquidity management requirements, and what the regulatory direction of travel means for firms connecting to these networks in 2026 and beyond.

The Irrevocability Problem

Every instant payment rail in the GCC shares one defining characteristic: once a payment is settled, it cannot be recalled through normal banking channels. Unlike SWIFT payments, where a recall instruction can be transmitted and a correspondent bank can place the funds on hold pending investigation, an instant rail payment completes its settlement cycle in seconds. The beneficiary's account is credited. The funds are theirs.

This irrevocability is a feature, not a defect: it is what makes instant rails commercially useful for the payee. But it fundamentally changes the fraud and AML risk model for every institution connected to the network. Fraud controls that operate post-transaction on legacy rails , detecting suspicious patterns, holding funds, initiating a recall , are not available in the same form on instant rails. The only effective point of intervention is pre-transaction: scoring the payment instruction before authorisation, not after.

The specific fraud typology that has grown fastest alongside instant rails globally is authorised push payment (APP) fraud: the victim is manipulated: by social engineering, impersonation of a bank, regulator, or trusted institution , into authorising a payment themselves. Because the victim authorised the transaction, there is no authentication failure to detect. The payment looks legitimate at every technical checkpoint. The UK's experience under its PSR APP fraud reimbursement regime is instructive: mandatory reimbursement of victims has imposed direct commercial losses on sending and receiving PSPs and driven substantial investment in behavioural fraud detection, pre-transaction risk scoring, and payee confirmation services. GCC regulators are watching that experience closely.

SARIE — Saudi Arabia

The Saudi Payments Network (SARIE) is operated by Saudi Payments, a subsidiary of SAMA. It processes both high-value RTGS transactions and retail instant credit transfers, with 24/7/365 availability. SAMA's revised Payment Systems Oversight Framework, issued under Circular 472047719 in March 2026, introduces stricter governance obligations for systemically important payment system operators: SARIE being the primary SIPS in the Kingdom.

Key characteristics relevant to connecting institutions:

• Message format: ISO 20022 MX messages are the standard for SARIE high-value transactions; retail instant credit transfers use a locally defined message schema that is progressively aligning to ISO 20022 structures.
• Participation model: Direct participation requires a Saudi banking licence. Indirect participation through a sponsoring bank is available to licensed payment institutions; the sponsor bears primary liability for the indirect participant's transactions.
• Liquidity: Direct participants must maintain pre-funded positions at SAMA sufficient to cover intraday settlement obligations. SAMA provides intraday liquidity facilities but these are collateralised.
• mada integration: Domestic debit transactions in Saudi Arabia route through the mada network, which connects to SARIE for settlement. Any payment institution acquiring mada transactions or offering mada acceptance needs to understand the settlement flow through SARIE and the associated timing obligations.
• Open Banking intersection: SAMA's Open Banking Programme moved to full licensing in March 2026. PISP-initiated payments: account-to-account transfers initiated via open banking APIs: settle over SARIE. Licensed open banking PISPs must meet SAMA's API performance and resilience standards, which include uptime SLAs measured against SARIE's own availability windows.

Aani — United Arab Emirates

Aani is the UAE's Instant Payments Platform, operated by Al Etihad Payments (AEP), a wholly owned subsidiary of the Central Bank of the UAE. It launched commercially in late 2023 and processed over 180 million transactions in its first full year. The CBUAE has positioned Aani as the foundational layer for open banking payment initiation in the UAE, with account-to-account transfers available through both direct bank participation and via licensed payment service providers.

• Proxy addressing: Aani supports mobile number and Emirates ID as payment proxies, eliminating the need for the payer to know the beneficiary's IBAN. This significantly increases consumer usability but also increases APP fraud risk: a fraudster impersonating a trusted entity needs only to provide their mobile number as a proxy to receive funds.
• Participation: Licensed banks participate directly. Licensed PSPs and exchange houses can participate under a tiered access model; indirect participants settle through a sponsoring direct participant.
• CBUAE AML alignment: The CBUAE's April 2026 AML/CFT/CPF guidance package specifically addresses obligations for payment firms on instant rails, including pre-transaction sanctions screening requirements and post-settlement monitoring obligations. Firms connecting to Aani must demonstrate that sanctions screening occurs before the payment instruction is submitted, not after settlement: the standard T+1 batch screening model does not satisfy this requirement.
• Cross-border development: The CBUAE and mBridge multilateral CBDC platform represent the next layer of UAE cross-border payments infrastructure. Aani's domestic settlement role is expected to interface with mBridge for cross-border leg settlement in GCC corridors.

QPAY — Qatar

Qatar's domestic instant payment infrastructure operates under the Qatar Central Bank's payment systems framework, established under the Payment Systems Law No. 15 of 2021. QPAY provides real-time domestic credit transfers between QCB-regulated institutions, with QR code payment initiation for retail merchants delivered through the Himyan QR standard mandated by the QCB.

• Himyan QR: The QCB mandates support for Himyan QR at point of sale for merchants above a defined revenue threshold. The standard uses a consumer-presented QR model linked to the payer's bank account, with settlement over the QPAY rail. Acquirers and merchants operating in Qatar must ensure their acceptance infrastructure supports Himyan QR alongside card acceptance.
• Participation requirements: Direct participation in QPAY is restricted to QCB-licensed banks. Payment institutions and exchange houses operating in Qatar access the network through a sponsoring bank. The QCB's licensing framework for payment service providers, updated under the 2021 Payment Systems Law, sets out the conditions under which PSPs may offer QPAY-connected services.
• ISO 20022: The QCB has aligned QPAY messaging standards with ISO 20022, consistent with CPMI guidance on harmonised payment data standards. Institutions migrating legacy infrastructure need to confirm that their message processing capability handles structured ISO 20022 address fields correctly: a common gap in legacy core banking systems.
• Open Banking framework: The QCB's open banking framework sets requirements for API connectivity between licensed third-party providers and participating banks. Payment initiation via open banking APIs routes to QPAY for domestic settlement.

FAWRI+ — Bahrain

Bahrain's instant payment infrastructure, operated by the Bahrain Bourse under CBB oversight, is the most mature in the GCC, having been live since 2015. FAWRI+ processes retail instant credit transfers with a per-transaction limit of BHD 5,000. The CBB's open banking framework: generally regarded as the most developed in the GCC , mandates API access for licensed account information and payment initiation providers, with FAWRI+ as the settlement rail for domestic payment initiation.

Bahrain's experience is instructive for the rest of the region: a mature instant rail, a functional open banking ecosystem, and a relatively well-developed fintech licensing environment create a market where the theoretical promise of instant payments has been tested against commercial reality for a decade. Firms entering the GCC market should treat Bahrain as a reference implementation and examine how account-to-account adoption has developed alongside, rather than displacing, card acceptance.

Comparative Rail Overview

Fraud Controls: What Works on Irrevocable Rails

The fraud control architecture for instant rails is fundamentally different from that for batch or card rails. The following are the controls that have demonstrated effectiveness:

Pre-transaction behavioural scoring. Transaction risk models must operate in the milliseconds between payment instruction submission and authorisation. This requires ML models that score in real time against features including: device and session context, payer's historical payment patterns, beneficiary history (is this payee new? have others sent to this payee and disputed?), transaction timing and value relative to baseline. Batch models run overnight are not suitable for instant rail fraud prevention.

Confirmation of Payee / Verification of Payee. Proxy-to-account name matching: presenting the payer with the account name associated with the beneficiary proxy before they confirm the payment , is one of the most effective APP fraud mitigations. It breaks the social engineering narrative: if the fraudster's account is registered in a different name to the institution they are impersonating, the mismatch is surfaced to the payer. The UK mandated Confirmation of Payee; SAMA has introduced Verification of Payee as part of SARIE enhancements; the CBUAE's Aani proxy service incorporates similar functionality.

Mule account detection. APP fraud requires a receiving account to collect the funds before they are moved on. Monitoring for account behaviour patterns consistent with mule activity: newly opened accounts receiving multiple inbound transfers from unrelated senders within a short window , allows receiving institutions to flag and delay (where technically possible) or report suspicious receipt patterns.

Cooling-off periods for new payees. Several European banks have implemented voluntary friction for first-time payments to a new beneficiary: a short delay or a confirmation step that breaks the urgency narrative that social engineering typically relies on. This approach is under active regulatory and commercial discussion in GCC markets.

Liquidity Management: The 24/7 Challenge

Instant payment rails operate continuously. Legacy treasury and liquidity management practices: end-of-day net settlement, overnight funding, intraday credit from a clearing bank , are not designed for 24/7 irrevocable settlement obligations.

Direct participants in SARIE, Aani, and QPAY must maintain sufficient pre-funded positions to cover anticipated intraday settlement volumes at all times, including outside normal banking hours. The practical requirements are:

• Intraday liquidity forecasting models that project settlement obligations by time window, not just end-of-day net position
• Automated pre-funding triggers that top up settlement accounts when positions fall below defined thresholds
• Contingency liquidity facilities: credit lines with sponsoring banks or central bank intraday facilities: that can be drawn within minutes if pre-funded positions are insufficient
• Reconciliation processes that run continuously against the rail's settlement file, not daily against a batch statement

For institutions offering instant payment services through an indirect participation model: sponsoring bank carries the settlement obligation , the commercial agreement with the sponsoring bank must define clearly how prefunding is provided, what happens when the indirect participant's prefunding is exhausted, and how the settlement risk is priced into the commercial relationship.

What Payment Firms Should Be Doing Now

The regulatory direction across all GCC markets is toward stricter pre-transaction controls, more granular supervisory reporting on instant rail transaction volumes, and increased personal accountability at board level for payment system resilience. Firms that treat instant rail compliance as a connectivity question rather than an operational risk and fraud management question will find themselves behind the supervisory curve as these frameworks mature.