Instant payment rails across the GCC have passed the point at which they can still be treated as emerging infrastructure. SARIE in Saudi Arabia processed over 1.5 billion transactions in 2025, recording 42% annual volume growth. Aani in the UAE reached 180 million transactions in its first year of commercial operation. Qatar's QPAY domestic instant network is live. Bahrain's FAWRI+ has been operational since 2015 and remains one of the more mature instant rails in the region. For payment firms operating in the GCC, the question is no longer whether instant rails matter — it is whether your connectivity, compliance, and fraud controls are calibrated to the specific operational characteristics of each.
This article covers the architecture and current status of each major GCC instant rail, the fraud and AML challenges that irrevocability creates, liquidity management requirements, and what the regulatory direction of travel means for firms connecting to these networks in 2026 and beyond.
Every instant payment rail in the GCC shares one defining characteristic: once a payment is settled, it cannot be recalled through normal banking channels. Unlike SWIFT payments, where a recall instruction can be transmitted and a correspondent bank can place the funds on hold pending investigation, an instant rail payment completes its settlement cycle in seconds. The beneficiary's account is credited. The funds are theirs.
This irrevocability is a feature, not a defect — it is what makes instant rails commercially useful for the payee. But it fundamentally changes the fraud and AML risk model for every institution connected to the network. Fraud controls that operate post-transaction on legacy rails — detecting suspicious patterns, holding funds, initiating a recall — are not available in the same form on instant rails. The only effective point of intervention is pre-transaction: scoring the payment instruction before authorisation, not after.
The specific fraud typology that has grown fastest alongside instant rails globally is authorised push payment (APP) fraud: the victim is manipulated — by social engineering, impersonation of a bank, regulator, or trusted institution — into authorising a payment themselves. Because the victim authorised the transaction, there is no authentication failure to detect. The payment looks legitimate at every technical checkpoint. The UK's experience under its PSR APP fraud reimbursement regime is instructive: mandatory reimbursement of victims has imposed direct commercial losses on sending and receiving PSPs and driven substantial investment in behavioural fraud detection, pre-transaction risk scoring, and payee confirmation services. GCC regulators are watching that experience closely.
The Saudi Payments Network (SARIE) is operated by Saudi Payments, a subsidiary of SAMA. It processes both high-value RTGS transactions and retail instant credit transfers, with 24/7/365 availability. SAMA's revised Payment Systems Oversight Framework, issued under Circular 472047719 in March 2026, introduces stricter governance obligations for systemically important payment system operators — SARIE being the primary SIPS in the Kingdom.
Key characteristics relevant to connecting institutions:
Aani is the UAE's Instant Payments Platform, operated by Al Etihad Payments (AEP), a wholly owned subsidiary of the Central Bank of the UAE. It launched commercially in late 2023 and processed over 180 million transactions in its first full year. The CBUAE has positioned Aani as the foundational layer for open banking payment initiation in the UAE, with account-to-account transfers available through both direct bank participation and via licensed payment service providers.
Qatar's domestic instant payment infrastructure operates under the Qatar Central Bank's payment systems framework, established under the Payment Systems Law No. 15 of 2021. QPAY provides real-time domestic credit transfers between QCB-regulated institutions, with QR code payment initiation for retail merchants delivered through the Himyan QR standard mandated by the QCB.
Bahrain's instant payment infrastructure, operated by the Bahrain Bourse under CBB oversight, is the most mature in the GCC, having been live since 2015. FAWRI+ processes retail instant credit transfers with a per-transaction limit of BHD 5,000. The CBB's open banking framework — generally regarded as the most developed in the GCC — mandates API access for licensed account information and payment initiation providers, with FAWRI+ as the settlement rail for domestic payment initiation.
Bahrain's experience is instructive for the rest of the region: a mature instant rail, a functional open banking ecosystem, and a relatively well-developed fintech licensing environment create a market where the theoretical promise of instant payments has been tested against commercial reality for a decade. Firms entering the GCC market should treat Bahrain as a reference implementation and examine how account-to-account adoption has developed alongside, rather than displacing, card acceptance.
| Rail | Market | Operator | Proxy Addressing | Open Banking Integration | ISO 20022 |
|---|---|---|---|---|---|
| SARIE | Saudi Arabia | Saudi Payments / SAMA | IBAN + mobile (developing) | SAMA OB licence required | High-value: live; retail: aligning |
| Aani | UAE | Al Etihad Payments / CBUAE | Mobile number, Emirates ID | CBUAE PSP licence | Native |
| QPAY | Qatar | QCB | Himyan QR (merchant-facing) | QCB OB framework | Aligned |
| FAWRI+ | Bahrain | Bahrain Bourse / CBB | Mobile, CPR (National ID) | CBB OB framework (most mature in GCC) | Aligned |
The fraud control architecture for instant rails is fundamentally different from that for batch or card rails. The following are the controls that have demonstrated effectiveness:
Pre-transaction behavioural scoring. Transaction risk models must operate in the milliseconds between payment instruction submission and authorisation. This requires ML models that score in real time against features including: device and session context, payer's historical payment patterns, beneficiary history (is this payee new? have others sent to this payee and disputed?), transaction timing and value relative to baseline. Batch models run overnight are not suitable for instant rail fraud prevention.
Confirmation of Payee / Verification of Payee. Proxy-to-account name matching — presenting the payer with the account name associated with the beneficiary proxy before they confirm the payment — is one of the most effective APP fraud mitigations. It breaks the social engineering narrative: if the fraudster's account is registered in a different name to the institution they are impersonating, the mismatch is surfaced to the payer. The UK mandated Confirmation of Payee; SAMA has introduced Verification of Payee as part of SARIE enhancements; the CBUAE's Aani proxy service incorporates similar functionality.
Mule account detection. APP fraud requires a receiving account to collect the funds before they are moved on. Monitoring for account behaviour patterns consistent with mule activity — newly opened accounts receiving multiple inbound transfers from unrelated senders within a short window — allows receiving institutions to flag and delay (where technically possible) or report suspicious receipt patterns.
Cooling-off periods for new payees. Several European banks have implemented voluntary friction for first-time payments to a new beneficiary: a short delay or a confirmation step that breaks the urgency narrative that social engineering typically relies on. This approach is under active regulatory and commercial discussion in GCC markets.
Instant payment rails operate continuously. Legacy treasury and liquidity management practices — end-of-day net settlement, overnight funding, intraday credit from a clearing bank — are not designed for 24/7 irrevocable settlement obligations.
Direct participants in SARIE, Aani, and QPAY must maintain sufficient pre-funded positions to cover anticipated intraday settlement volumes at all times, including outside normal banking hours. The practical requirements are:
For institutions offering instant payment services through an indirect participation model — sponsoring bank carries the settlement obligation — the commercial agreement with the sponsoring bank must define clearly how prefunding is provided, what happens when the indirect participant's prefunding is exhausted, and how the settlement risk is priced into the commercial relationship.
The regulatory direction across all GCC markets is toward stricter pre-transaction controls, more granular supervisory reporting on instant rail transaction volumes, and increased personal accountability at board level for payment system resilience. Firms that treat instant rail compliance as a connectivity question rather than an operational risk and fraud management question will find themselves behind the supervisory curve as these frameworks mature.
MENA Advisory advises payment institutions, banks, and fintechs connecting to GCC instant payment rails across SARIE, Aani, QPAY, and FAWRI+. If you are reviewing your instant payment connectivity, fraud controls, or liquidity management frameworks, contact us to discuss your requirements.
Request a Consultation