Protection Payments
Last Updated: 06/02/2026
Protect your business with reliable and effective AML strategies with AML UAE.
Protection Payments: Key Highlights
Organised criminals collect protection payments by coercing legitimate businesses into paying regular sums under threat of violence or property damage.
Protection payments derived from extortion may constitute proceeds of a predicate offence. Where such funds are converted, transferred, concealed, acquired, possessed, or used with the required knowledge or indications, the activity may amount to money laundering under Federal Decree-Law No. (10) of 2025. Full AML obligations apply to any institution that handles the resulting cash flows.
Compliance teams must treat unexplained cash surges in business accounts as a primary detection signal.
What are Protection Payments?
Protection payments are regular sums of money that organised criminal groups demand from business owners or individuals under threat of violence, property destruction, or harm to family members. The arrangement is a form of extortion in which the criminal group offers fictitious “protection” from threats that it has itself created or implied. Victims pay to avoid harm rather than in exchange for any legitimate service.
In the context of anti-money laundering, protection payments are significant because the proceeds received by the criminal group represent illicit funds derived from a predicate offence. Federal Decree-Law No. (10) of 2025 Article 2 defines money laundering as any act performed on funds derived from a criminal offence, including acquiring, possessing, using, converting, disposing of, or transferring such funds, or concealing their illicit origin. Extortion, from which protection payments flow, is a recognised predicate offence under UAE law.
The financial footprint of protection payments typically enters the banking system through cash-intensive victim businesses. Banks, exchange houses, and designated non-financial businesses and professions that handle accounts belonging to victim enterprises face direct exposure to these flows.
Regulatory Framework Related to Protection Payments
Protection payments engage several layers of the UAE AML/CFT legal framework.
Federal Decree-Law No. (10) of 2025 (FDL 10/2025) is the apex AML/CFT statute. Article 2 criminalises money laundering in respect of funds derived from any predicate offence, without requiring a prior conviction for that predicate offence. Extortion, including the collection of protection payments, produces proceeds that qualify as criminal property under Article 1 of FDL 10/2025.
Article 18 of FDL 10/2025 imposes an obligation to file a suspicious transaction report (STR) without delay whenever a regulated entity has reason to suspect that a transaction or customer is linked to money laundering or the proceeds of crime.
Cabinet Resolution No. (134) of 2025 (CR 134/2025) is the operative AML/CFT executive regulation. Article 8 requires regulated entities to monitor their customers and transactions on an ongoing basis. Article 18 specifies the STR filing obligation in detail, including the requirement to report through the goAML platform operated by the UAE Financial Intelligence Unit (FIU). Article 19 prohibits tipping off a customer about whom an STR has been filed.
Cabinet Resolution No. (71) of 2024 (CR 71/2024) sets out the administrative penalty schedule for AML/CFT breaches by Ministry of Economy and Tourism (MoET) and Ministry of Justice (MoJ) supervised entities. Failure to file an STR carries a maximum fine of AED 500,000. Failure to freeze funds when required carries a maximum fine of AED 1,000,000.
Regulatory Reference
Federal Decree-Law No. (10) of 2025, Article 2 (money laundering criminalisation) and Article 18 (STR obligation). Cabinet Resolution No. (134) of 2025, Articles 8, 18, and 19 (ongoing monitoring, STR filing, and tipping-off prohibition). Cabinet Resolution No. (71) of 2024, Violations 22 and 35 (STR filing failure and TFS freeze failure penalties).
Primary Authorities in the UAE
The Central Bank of the UAE (CBUAE) supervises financial institutions and establishes the UAE Financial Intelligence Unit (FIU). All STRs from any regulated entity are filed exclusively with the FIU through the goAML platform under FDL 10/2025 Article 11.
The MoET supervises AML compliance for DNFBPs, including real estate agents, dealers in precious metals and stones, trust and company service providers and accountants. The MoJ supervises lawyers, notaries, and legal consultancies. The GCGRA supervises commercial gaming operators; the CMA supervises capital markets and securities; and VARA supervises VASPs. DFSA supervises DIFC-based entities, and FSRA supervises ADGM-based entities.
Reporting or Compliance Obligations and Channels of Protection Payments
Regulated entities, including banks, exchange houses, and DNFBPs, must file a Suspicious Transaction Report (STR) through the goAML when they suspect funds or transactions may be linked to criminal activity, including protection payments. The FDL 10/2025 Article 18 and CR 134/2025 Article 18 state that STR reporting is based on suspicion and is not subject to a minimum transaction threshold.
Regulated entities must also conduct ongoing monitoring of customer relationships and transactions under CR 134/2025 Article 8. Entities must also update customer due diligence information where transactions are inconsistent with the customer’s known business or risk profile. Enhanced due diligence (EDD) measures should be applied where entities identify high risks.
Where a customer or transaction matches a designated person or entity, freezing obligations arise under Cabinet Decision No. (74) of 2020. Article 15 requires any person to freeze assets without delay and without prior notice, and to notify the EOCN within five working days. Article 21 sets out the specific operational obligations for financial institutions and DNFBPs, including NAS registration, constant screening, freezing without delay, and reporting.
What Do Protection Payments Mean?
Think of a shop owner in a market who is approached by a group that tells them to pay a weekly sum or face consequences. The shop owner pays, not because they are buying anything, but because they are afraid. That payment flows into the criminal group’s pocket as cash, stripped of any legitimate origin. When that cash then appears in a bank account, deposited by the criminal group or cycled through a shell company, it looks like revenue from a legitimate business. The money has been laundered. The shop owner’s fear has been converted into a banking transaction.
Why Protection Payments Matter
Compliance officers who treat protection payments as a distant organised crime problem miss where the risk actually sits: inside their own customer portfolio. The victim businesses that pay protection are cash-intensive enterprises, often in hospitality, construction, retail, or transport. Their accounts hold the very cash flows that organised crime groups extract, recycle, and ultimately deposit elsewhere. A bank managing hundreds of small business accounts in high-density commercial areas is, statistically, managing accounts that are exposed to extortion demands.
The consequence of misidentifying this exposure is severe. Under FDL 10/2025 Article 28, failure to file an STR when suspicion exists carries a criminal penalty of imprisonment and a fine of up to AED 1,000,000. Under CR 71/2024, the administrative fine for STR filing failure reaches AED 500,000 per violation. Repeated violations within one year attract doubled fines under CR 71/2024 Article 5(2).
Beyond penalties, institutions that unknowingly process protection payment proceeds become conduits for organised crime. Supervisory findings, enforcement actions, and administrative penalties may also create reputational exposure, particularly where penalties are published or otherwise become public. Institutions identified as having inadequate controls for organised crime typologies face public scrutiny alongside financial penalties.
The implication for any compliance team is direct: business account monitoring must be calibrated to detect cash surges that outpace legitimate trading activity, and customer risk profiling must extend to the geographic and sectoral environments in which business customers operate.
How Protection Payments Work
Understanding the mechanics of a protection payment scheme reveals where the money laundering risk is concentrated and which detection controls are most likely to intercept it.
Stage One: Target Identification and Approach
An organised crime group identifies businesses that generate regular, predictable cash turnover. Cash-intensive enterprises, bars, restaurants, construction subcontractors, convenience stores, and car washes are the primary targets. The group’s intelligence gathering includes physical surveillance of trading patterns, local knowledge of business activity, and, in some cases, infiltration of business networks through corrupt employees or associates. The targeting is systematic, not opportunistic. Criminal groups assess each target for their ability to pay and their vulnerability to coercion.
Stage Two: Coercion and Demand
Once a target is identified, the criminal group makes an approach, typically through an intermediary, to insulate the group leader. The demand is framed as payment for “protection,” implying that the group can either prevent or cause harm to the business. The initial demand is calibrated to the target’s apparent cash turnover. Victims who resist face consequences designed to demonstrate the group’s capacity and willingness to act. Property damage, threats to staff, or interference with supply chains establish the credibility of the demand. Shell or front companies may be used to create a veneer of legitimacy around the payment, presenting the extortion as a consultancy fee, a cleaning contract, or a security service charge.
Stage Three: Payment and Collection
Victims pay in cash at regular intervals, weekly or monthly, in amounts that remain below formal reporting thresholds. The consistency and regularity of these payments are operationally important to the criminal group: they establish a predictable income stream. Collection is typically handled by low-level associates, creating separation between the criminal proceeds and the group’s leadership. Some criminal groups evolve this structure further, requiring payment into designated bank accounts or through third parties, which begins the layering process immediately.
Stage Four: Laundering Through the Financial System
The cash collected by the criminal group is its primary laundering challenge. Cash in quantity is difficult to move, hard to account for, and attracts attention if deposited in large amounts. Criminal groups use several methods to introduce protection payment proceeds into the financial system. Deposits are structured in amounts below reporting thresholds across multiple accounts and branches. Cash-intensive businesses that the criminal group itself operates, or has infiltrated, absorb the protection payment cash as apparent trading revenue. Equity interests in legitimate companies are acquired using protection from protection payments to create an additional layer of commercial legitimacy. Transaction logs from these businesses show elevated cash receipts that are indistinguishable, at the surface level, from genuine trading activity.
Stage Five: Integration and Concealment
At the integration stage, laundered funds appear in bank accounts as business revenue. Beneficial ownership registries are obscured through the use of shell companies and nominee structures. Company and beneficial ownership registries may show only front individuals, with the criminal group’s actual control exercised informally. At this point, the funds are available for use in legitimate economic activity: property purchases, business investments, or further criminal enterprise. KYC and CDD records for the front businesses typically show clean, declared ownership with no obvious link to the criminal group.
Scenario Examples of Protection Payments
The Hospitality Sector Racket
A criminal organisation operating in a mid-sized city identifies a cluster of restaurants and bars in a commercial district. Each business turns over significant cash through food and beverage sales. The organisation approaches each owner separately, demanding a fixed weekly sum described informally as “security cover.”
Owners who refuse experience vandalism, threatening behaviour towards staff, and interference with suppliers. Within three months, twelve businesses will be paying. The cash is collected weekly by a runner and consolidated at a central point controlled by a mid-level associate. It is then deposited across four different bank accounts, in varying amounts, by four different individuals with no stated connection to each other.
Each deposit is below the reporting threshold. The bank’s transaction monitoring system flags elevated cash activity on two of the accounts but does not generate an alert because the accounts belong to businesses in the hospitality sector, where elevated cash is expected.
The criminal organisation successfully launders the proceeds because the monitoring rules were not calibrated to detect inconsistency between individual account cash volumes and industry norms for similar-sized enterprises in the same area. The detection lesson is precise: transaction monitoring rules must compare cash volumes against a granular industry and size-adjusted benchmark, not a broad sector average.
The Construction Industry Extortion Network
A criminal group with roots in a regional trade union infiltrates a cluster of construction subcontractors working on publicly funded infrastructure projects. The group demands that each subcontractor pay a percentage of the contract value before the group will allow its members, who work as labourers on the sites, to cooperate with site management. Subcontractors who refuse face work stoppages, equipment damage, and formal complaints to regulatory bodies.
The payments are structured as cash advances on fictitious invoices from a shell company that purports to provide labour coordination services. The shell company has a bank account and a registered address. Its business bank account receives regular cash deposits, always in round figures, from multiple subcontractors. No services are ever rendered.
The company’s financial, business, and tax records show high cash receipts and negligible expenses, a pattern that a financial institution alert to protection payment typologies would identify as inconsistent with a genuine labour coordination business.
The key detection signal is the combination of a cash-heavy account, no verifiable business activity, and a pattern of round-figure deposits from multiple payers with no apparent connection to each other.
The Cross-Border Criminal Enterprise
A transnational organised crime group operates a protection payment network across multiple jurisdictions, collecting cash from businesses in one country and laundering it through corporate structures in another. Protection payments collected domestically are deposited in cash into business bank accounts belonging to front companies.
The same front companies then make international wire transfers described as payments for consultancy or trade finance services to correspondent accounts in jurisdictions with weaker AML controls. From those accounts, funds move onward through correspondent banking chains that obscure the trail. Geographical and jurisdictional risk data from the destination accounts would, in isolation, flag the transfers as high-risk. The detection gap arises because the sending accounts appear to belong to legitimate trading businesses with clean KYC records.
The operational lesson is that OSINT and external source verification must extend beyond the immediate customer to the nature, geography, and counterparties of their outgoing transactions.
What Are the Red Flags That Identify Protection Payments?
| Category | Red Flag Observation |
| Customer | Business accounts show unexplained cash flow increases with no corresponding growth in declared trading activity or customer volume. |
| Customer | Business owner is reluctant to explain the source of cash receipts or provides inconsistent explanations across different interactions. |
| Customer | Business has a history of ownership changes involving individuals with criminal records or known associations with organised crime groups. |
| Customer | Business operating in a high-crime geographic area where organised criminal groups are known to operate extortion networks. |
| Customer | Business owner shows signs of financial distress or coercion, such as unusual urgency in transactions or unexplained withdrawal behaviour. |
| Transaction | Cash deposits significantly exceed industry norms for businesses of similar size and type in the same sector. |
| Transaction | Cash on hand maintained at higher than usual levels relative to the business’s stated operational requirements. |
| Transaction | Frequent cash deposits made in amounts just below the formal reporting threshold, structured across multiple branches or dates. |
| Transaction | Cash withdrawals from business accounts that do not correspond to identifiable business expenses or payroll obligations. |
| Transaction | Regular payments of fixed, round-figure amounts at consistent intervals to individuals or entities with no clear business relationship. |
| Transaction | Cash deposits followed immediately by transfers to accounts in jurisdictions with weak AML controls or on high-risk jurisdiction lists. |
| Transaction | Third parties depositing cash into a business account without any verifiable business rationale or documented relationship to the account holder. |
| Geographic | Business operations concentrated in areas identified by law enforcement or OSINT sources as having elevated organised crime activity. |
| Geographic | Outgoing transfers directed to accounts in high-risk countries or through correspondent chains with minimal transparency. |
| Geographic | Cash deposit patterns that coincide with known criminal activity events or periods of heightened organised crime presence in the area. |
| Product | Business bank account receiving cash volumes inconsistent with the business type, particularly in low-cash industries. |
| Product | Equity interests in the business entity transferred to individuals with no stated economic rationale shortly after periods of elevated cash receipts. |
| Product | Trust and corporate services used to layer ownership of cash-intensive businesses with no apparent legitimate commercial rationale. |
| Channel | Multiple individuals, unconnected to each other on available records, making cash deposits into the same business account. |
| Channel | Cash transaction services used to move funds between accounts that have no documented relationship or commercial history. |
Which AML Controls Counter Protection Payments?
| Control | What It Disrupts | Detects / Prevents / Deters | Specific Limitation |
| Transaction Monitoring | Structured cash deposits and threshold avoidance behaviour | Detects patterns of sub-threshold deposits and cash flow anomalies against peer benchmarks | Rules must be calibrated to sector-adjusted and size-adjusted norms; generic cash thresholds miss sub-threshold structuring. |
| Enhanced Due Diligence (EDD) | Concealed beneficial ownership and undisclosed criminal associations | Detects ownership inconsistencies and criminal background linkages through deeper inquiry | Requires accurate and current beneficial ownership data; criminal groups use nominee structures to defeat standard EDD. |
| OSINT and External Source Verification | Front company legitimacy and false trading narratives | Detects absence of genuine business activity and linkages to known criminal networks | OSINT coverage is uneven across jurisdictions; criminal groups in some areas leave minimal digital footprint. |
| Risk-Based Customer Profiling and Segmentation | Misclassification of high-risk cash-intensive businesses as standard-risk | Identifies customers in sectors and geographies with elevated protection payment exposure and applies heightened scrutiny | Profiling requires up-to-date geographic crime intelligence; static risk models become obsolete quickly. |
| Service Restriction | Continued access to banking channels for identified criminal-linked accounts | Prevents further laundering by terminating the institutional relationship | Must be applied with documented justification; premature restriction without investigation may suppress useful intelligence. |
| Staff AML Training and Awareness | Undetected relationship-level signals that systems cannot capture | Enables front-line staff to identify behavioural cues from victim businesses and suspicious account activity | Effective only when training is scenario-specific to protection payment typologies; generic training does not produce recognition. |
How Do AI and RegTech Automate Detection of Protection Payments?
Protection payments generate a distinctive behavioural signature in transaction data: regular, structured cash flows that outpace declared business activity, originate from multiple depositors with no apparent connection, and feed into rapid outward transfers. AI and RegTech platforms apply several mechanisms to detect this signature automatically.
Transaction monitoring engines apply peer-group analysis to compare a business account’s cash volumes against anonymised benchmarks drawn from entities of similar size, sector, and geographic location. A restaurant depositing three times the cash of comparable establishments in the same postcode will trigger an anomaly alert without any human review. Modern systems apply this comparison dynamically, adjusting the peer group as new data arrives, rather than using static thresholds.
Network analytics and graph intelligence tools map the relationships between accounts based on transaction flows, shared identifiers, and counterparty overlaps. A protection payment collection network will show a characteristic hub-and-spoke pattern: multiple payer accounts feeding into a single recipient account at regular intervals. Graph analytics detect this structure even when the individual transactions fall below alert thresholds, because the network pattern itself is the signal.
Natural language processing (NLP) for adverse media and OSINT monitors open-source data for references to criminal activity, law enforcement investigations, and organised crime presence in specific geographic areas. When adverse media signals for a district are elevated, transaction monitoring rules for customer accounts in that district can be automatically calibrated upward.
Machine learning anomaly detection identifies deviation from a specific customer’s own historical baseline rather than a peer group. For a victim business that begins making protection payments, the cash flow profile changes. For the criminal group’s laundering vehicle, cash receipts appear without a corresponding growth in other business indicators. Both deviations are detectable by a model trained on the customer’s own data history.
Vendor categories offering these capabilities include transaction monitoring platforms with peer benchmarking modules, entity resolution and graph analytics providers, and OSINT-integrated risk intelligence tools. No single vendor category provides full coverage; effective detection of protection payment flows requires integration across at least transaction monitoring and network analytics.
What Data Should Compliance Teams Collect to Detect Protection Payments?
| Data Point | Source System | What It Reveals about Protection Payments |
| Cash deposit frequency and amounts | Core banking / transaction monitoring | Structured sub-threshold patterns and peer-group cash volume anomalies that indicate organised cash collection. |
| Counterparty identifiers for cash deposits | Core banking | Multiple unconnected depositors feeding one account, revealing the hub-and-spoke collection pattern of a protection scheme. |
| Business trading records and declared turnover | KYC and CDD records | Disparity between declared business activity and observed cash volumes, indicating concealed illicit income flows. |
| Beneficial ownership register data | Company and beneficial ownership registries | Nominee structures and unexplained ownership transfers that indicate criminal control behind a legitimate front. |
| Geographic crime risk scores | Geographical and jurisdictional risk data | Elevated organised crime presence in the business customer’s operating area, calibrating the risk assessment baseline. |
| OSINT and adverse media signals | Open-Source Intelligence (OSINT) | Criminal associations, law enforcement actions, and reputational risks attached to the business or its principals. |
| Outgoing wire transfer destinations and counterparties | Transaction logs | Transfers to high-risk jurisdictions or accounts with no verifiable commercial relationship, indicating layering of collected funds. |
| Communication records linked to account activity | Communication records | Patterns of contact between account holders and third parties that coincide with unusual cash flows, relevant to law enforcement cooperation. |
How Do Protection Payments Aggravate Customer Risk and Product Risk?
Protection payments aggravate customer risk by introducing a class of business customers whose cash flows are partially or wholly driven by extortion rather than legitimate trading.
The compliance challenge is that the victim business presents a clean corporate profile: registered, trading, and tax-filing. The criminal proceeds are embedded within an otherwise legitimate cash flow.
Standard customer risk rating models that assess a business by its sector, size, and declared activity will score such a customer as moderate risk when the actual risk is significantly higher.
The criminal group that collects the payments presents a low customer risk when it attempts to bank its proceeds directly, because its entities are typically constructed with layered corporate structures and nominee ownership designed specifically to defeat beneficial ownership checks.
Protection payments aggravate product risk because cash transaction services and business bank accounts are the primary vehicles through which protection payment proceeds enter the financial system.
Cash is inherently anonymous: once deposited, its physical origin is erased. Business bank accounts provide the institutional cover that makes this transition credible. The combination of a cash product in a cash-intensive business sector creates a product risk environment in which illicit cash from extortion schemes is structurally difficult to distinguish from legitimate trading receipts.
Any institution offering business banking or cash transaction services to enterprises in sectors commonly targeted by protection schemes faces elevated product-level exposure.
What Observable Patterns Indicate Protection Payments Activity?
Compliance officers observing business account behaviour should treat the following as potential indicators requiring further investigation.
A business account shows cash receipts increasing month on month, while the business’s other financial indicators, number of employees, declared expenses, and supplier invoices, remain flat. A business in a sector with predictable seasonal revenue shows cash deposits that are out of phase with the seasonal pattern.
Cash deposits are made by multiple individuals across multiple branches over several days, in amounts that appear modest individually but cumulatively represent a material volume. A business owner who has previously engaged constructively with the relationship manager becomes evasive or reluctant to meet.
Cash withdrawals are made in regular amounts on fixed days of the week with no apparent business expense that corresponds to the withdrawal size. A third party who is not a director, beneficial owner, or authorised signatory is observed depositing cash into the account on multiple occasions.
Sectors at Highest Exposure
| Sector | Risk Rating | Specific Reasoning |
| Hospitality (bars, restaurants, clubs) | Critical | High natural cash turnover provides effective cover for protection payment proceeds; multiple daily cash transactions make anomalies hard to identify without peer benchmarking. |
| Construction and Contracting | Critical | Project-based cash flows are irregular by nature, masking extortion payments structured as subcontractor fees; shell companies used to simulate legitimate contractual relationships. |
| Retail (convenience, clothing, electronics) | High | High volumes of small-value cash transactions provide a structuring vehicle; businesses in densely populated commercial areas face concentrated criminal demand. |
| Transport and Logistics | High | Cash-based payment cultures in parts of the sector; opacity of subcontracting chains enables insertion of protection payment flows as freight or logistics fees. |
| Professional Services (accountants, TCSPs) | Moderate | Used to create corporate vehicles that provide laundering infrastructure for protection payment proceeds rather than as direct victims of extortion demands. |
Best Practices for Protection Payments Risk Management
- Calibrate transaction monitoring rules to sector-adjusted and size-adjusted peer benchmarks. Generic cash thresholds generate false negatives for protection payment schemes because the criminal flows are structured to sit within expected cash ranges for the sector. Peer benchmarking that compares a business against enterprises of comparable size, declared activity, and geographic location is the minimum effective standard. Review and recalibrate these benchmarks at least annually against observed typology data.
- Mandate EDD for all business customers in sectors and geographies with elevated protection payment exposure. Risk-based customer profiling must incorporate sector risk and geographic crime intelligence as explicit inputs. A hospitality business operating in a high-density commercial area with a known organised crime presence should be assigned an elevated risk rating regardless of its otherwise clean corporate profile. EDD at onboarding and periodic review should include verification of actual business activity through non-documentary means, such as site visits or third-party trade data.
- Include OSINT and adverse media monitoring in the ongoing monitoring programme for business accounts. Open-source intelligence provides early warning of criminal activity in specific geographic areas and can reveal linkages between business customers and known criminal actors that do not appear in official registry data. OSINT should be refreshed at trigger events, significant cash flow changes, ownership transfers, new account signatories, and at periodic review intervals.
- Train front-line staff on the behavioural indicators of victim businesses, not just the financial indicators. Relationship managers and branch staff are the institution’s most proximate observers of customer behaviour. Training must equip them to recognise signs of coercion, a business owner who appears fearful, who provides inconsistent explanations for cash activity, or who behaves differently in the presence of specific third parties. These qualitative signals are not detectable by automated systems.
- Apply graph analytics to identify hub-and-spoke deposit patterns across business account portfolios. Protection payment collection networks leave a characteristic network signature: multiple unconnected depositors feeding a single recipient account at regular intervals. Network analytics tools can detect this pattern across the account portfolio even when individual transaction volumes are below alert thresholds. This is the most effective automated detection method for the collection phase of the scheme.
- Establish a clear escalation pathway for victim business disclosures. Some business customers will disclose, proactively or under questioning, that they are paying for protection. Compliance programmes must include a documented procedure for handling such disclosures: what to record, who to notify internally, and when and how to file an STR under FDL 10/2025 Article 18. Failure to act on a voluntary disclosure is a critical compliance gap.
- Cross-reference cash deposit patterns against known criminal activity events in the geographic area. Changes in cash flow patterns that coincide with law enforcement operations, increases in reported crime, or criminal group territorial changes provide contextual intelligence that elevates or reduces alert priority. Integration of law enforcement intelligence into transaction monitoring workflows is best practice for institutions operating in high-exposure markets.
- Review beneficial ownership data for business accounts whenever a material cash flow change is observed. Protection payment schemes frequently involve ownership transfers at the moment when criminal proceeds begin to flow. A business whose beneficial ownership changes around the same time its cash deposits increase materially warrants immediate CDD refresh and EDD, regardless of the declared rationale for the ownership change. Verification must extend to the actual controllers, not just the registered directors.
- Apply service restriction as a documented, justified last resort, not a first response. Service restriction terminates the institution’s exposure but eliminates its ability to observe and report on the criminal network’s financial behaviour. Where the account has intelligence value, because it provides a window into a broader scheme, maintaining the relationship with heightened monitoring and escalation to the FIU may be operationally preferable. Document the decision and its rationale in all cases.
- File STRs without delay whenever suspicion exists; there is no minimum threshold and no evidential standard. Under FDL 10/2025 Article 18, the filing obligation arises from suspicion, not certainty. Compliance teams that delay filing pending further investigation or internal sign-off are in breach of the “without delay” standard. The STR is a report of suspicion; it is not a finding of guilt. File first, investigate in parallel.
- Ensure the institution’s AML risk assessment addresses the protection payment typology explicitly. CR 134/2025 Article 5 requires regulated entities to conduct enterprise-wide risk assessments that cover their exposure to specific ML/TF typologies. Protection payments should be addressed by name in the risk assessment where the institution operates in sectors or geographies with demonstrable exposure. The risk assessment must be reviewed and updated when typology data or geographic crime intelligence changes materially.
- Cooperate fully with law enforcement and supervisory authority requests related to extortion investigations. Protection payment schemes often generate parallel criminal investigations by law enforcement agencies. Regulated entities that receive requests for information must respond within applicable timelines and must not tip off the subject of the request. The operational prohibition on disclosure is set out in CR 134/2025 Article 19, while criminal consequences for prohibited disclosure are addressed under FDL 10/2025 Article 29. Effective cooperation with the UAE FIU and law enforcement is both a legal obligation and a material contributor to disrupting the schemes.
How Protection Payments and Extortion Are Related
Protection payments are a specific operational form of extortion. Extortion is the broader predicate offence: the criminal act of compelling a person to hand over money or property through threats or coercion. Protection payments are the recurring financial transactions that extortion produces.
Where extortion describes the criminal behaviour, protection payments describe the financial flow that results from it.
The distinction matters for compliance purposes because the AML risk does not arise from the extortion itself but from the processing and movement of the cash that extortion generates.
A financial institution is not directly involved in the extortion event, but it may become the conduit through which the proceeds are laundered. Understanding protection payments as the financial layer of extortion is essential for identifying the correct detection controls and risk indicators.
The relationship also determines cross-linking obligations. Compliance teams reviewing an account suspected of protection payment involvement must also assess its connections to the parent typology of extortion, which may involve additional predicate offences, including fraud, bribery, and organised crime financing.
Related Terms
| Term | Connection |
| Extortion | Parent predicate offence from which protection payments derive; extortion defines the criminal act, protection payments define the resulting cash flow. |
| Shell Company | Frequently used to receive and layer protection payment proceeds, providing corporate cover for illicit cash with no genuine business activity behind it. |
| Front Company | Used by criminal groups to simulate legitimate trading activity that absorbs and launders protection payment cash collected from victims. |
| Structuring | The method by which protection payment cash is deposited in sub-threshold amounts across multiple accounts and dates to avoid triggering reporting obligations. |
| Beneficial Ownership | Criminal groups use layered ownership structures to conceal control of entities that hold protection payment proceeds. |
| Suspicious Transaction Report (STR) | The mandatory report filed under FDL 10/2025 Article 18 when a regulated entity suspects that transactions are linked to protection payment proceeds. |
| Enhanced Due Diligence (EDD) | The heightened CDD process applied to business customers with elevated protection payment exposure. |
| Transaction Monitoring | The automated surveillance system that detects the cash flow anomalies generated by protection payment schemes. |
| Cash-Intensive Business | The primary victim category in protection payment schemes and the primary vehicle through which proceeds enter the financial system. |
| Predicate Offence | The underlying crime, extortion, from which protection payment proceeds derive their illicit character under FDL 10/2025 Article 2. |
| Organised Crime Group | The actor category that operates protection payment networks as a revenue source for broader criminal enterprises. |
| Illicit Acquisition | The tactic category to which protection payments belong: funds are acquired through coercion rather than legitimate economic activity. |
Related Processes and Typologies
| Process or Typology | Connection |
| Smurfing | Protection payment cash is frequently deposited by multiple individuals (smurfs) across branches to reduce individual deposit sizes below reporting thresholds. |
| Trade-Based Money Laundering (TBML) | Criminal groups may convert protection payment cash into trade invoices through controlled entities to create a documentary trail that appears legitimate. |
| Layering via Corporate Structures | Multi-layered corporate ownership is used to move protection payment proceeds through sequential entities, each adding apparent legitimacy. |
Related Controls and Obligations
| Control or Obligation | Relevance |
| Customer Due Diligence (CDD) | Baseline obligation under CR 134/2025 Articles 6–9 for all business customers; must be refreshed when cash flow anomalies are detected. |
| Ongoing Monitoring | CR 134/2025 Article 8 requires ongoing monitoring of business relationships, including scrutiny of transactions and keeping CDD information current. CR 134/2025 Article 17 requires regulated entities to establish and continuously update suspicion indicators to identify transactions warranting an STR. |
| STR Filing | FDL 10/2025 Article 18 and CR 134/2025 Article 18 require filing without delay when suspicion of protection payment-linked activity arises. |
What Financial Instruments Do Criminals Use in Protection Payment Schemes?
Cash is the primary instrument in protection payment schemes because it is anonymous, immediate, and leaves no automatic documentary record at the point of collection. The victim pays in banknotes; the criminal receives untraceable value. Cash remains the dominant instrument at the collection stage of every protection payment scheme. Its transition into the financial system, through deposit, exchange, or conversion, is the inflexion point at which AML controls have the greatest opportunity to intervene.
Bank accounts serve as both the entry point for protection payment proceeds and the layering vehicle through which those proceeds are moved. Victim business accounts show the distorted cash flow patterns that are the primary detection signal. Criminal-controlled accounts, held in the names of shell companies, nominees, or front businesses, receive the proceeds after initial collection. Multiple account structures spread the deposits and reduce the apparent volume at any single account.
Equity interests in legal entities are used at the integration stage of the scheme. Criminal groups acquire minority or controlling stakes in legitimate businesses using protection payment proceeds. The acquisition may appear as a commercial investment. The underlying purpose is to create a beneficial ownership claim over a legitimate revenue-generating entity, allowing further cash flows to be attributed to that entity’s economic activity. Company and beneficial ownership registries are the primary data source for identifying these transfers, particularly when the timing of an equity acquisition coincides with an elevated cash flow period in the related accounts.
Variants and Synonyms
| Term | Context or Jurisdiction | One-line distinction from Protection Payments |
| Racket payments | North American and European criminological usage | Refers to the same extortion mechanism but in the context of organised crime “rackets” covering a geographic area or sector. |
| Stand-over payments | Australian criminological usage | Describes protection payments in the context of stand-over tactics used by criminal groups against small businesses. |
| Pizzo | Italian and Sicilian organised crime context | The Mafia-specific term for protection payments, often framed as a tax levied on businesses operating in controlled territory. |
| Krysha | Russian and post-Soviet organised crime context | Literally “roof”; describes the protection arrangement where a criminal group provides supposed cover in exchange for regular payments. |
| Tribute payments | Transnational organised crime usage | Payments made by one criminal group to another as acknowledgement of territorial control, distinct from payments extracted from civilian businesses. |
| Security fees (disguised) | Global typology usage | The description used when protection payments are presented in writing as legitimate security service charges to create a documentary pretext. |
What Products and Services Do Criminals Abuse in Protection Payment Schemes?
Business bank accounts are the core product through which protection payment proceeds enter the formal financial system. Criminal groups either direct victim businesses to make transfers into designated accounts or deposit collected cash directly using controlled entities with business accounts. The business account product provides the institutional legitimacy that converts anonymous cash into a recorded financial asset. Compliance controls embedded in business account onboarding and ongoing monitoring are the primary point of intervention for this scheme.
Cash transaction services, including over-the-counter cash deposits, cash exchange, and cash collection services, are abused as the physical interface through which protection payment cash is introduced to the financial system. Each cash transaction is a conversion event: banknotes become a ledger entry. Criminals exploit cash transaction services that lack robust identification requirements for depositors, or that process deposits without cross-referencing the depositor against the account holder’s expected transaction profile.
Trust and corporate services are abused to build the ownership structures that receive and hold protection payment proceeds. Criminal groups use trust and company service providers (TCSPs) to establish shell companies, nominee director arrangements, and trust structures that create apparent legitimacy around entities that have no genuine business purpose. These structures are then used to open business accounts, receive cash transfers, and make outward payments that appear commercially motivated. TCSPs supervised by the MoET are subject to AML obligations precisely because of this exposure.
UAE Jurisdictional View
The UAE’s risk-based AML/CFT framework requires regulated entities to consider national, sectoral, customer, geographic, product, service, transaction, and delivery-channel risks when assessing their exposure to money laundering. Cash-intensive businesses in the hospitality, retail, and trading sectors carry heightened exposure to organised crime typologies, including protection payment schemes. Regulated entities must assess these risks as part of their enterprise-wide risk assessment under CR 134/2025 Article 5, which requires identification, understanding, management, and continuous updating of crime risks, taking into account the results of the national risk assessment and relevant sectoral risk factors.
MoET supervises a significant portion of the DNFBP landscape relevant to the detection of protection payments, including real estate agents, DPMS, and TCSPs. MoJ supervises lawyers and notaries. Both supervisory authorities have issued penalty schedules under CR 71/2024 that apply directly to failures in ongoing monitoring and STR filing, the two controls most critical to detecting protection payment flows. The UAE FIU receives all STRs through the goAML platform and conducts strategic analysis of ML typologies.
Regulated entities operating in the UAE must ensure that their AML risk assessments address the protection payment typology by name, that their transaction monitoring rules are calibrated to detect the specific patterns this typology generates, and that their staff training programmes equip relationship managers to identify behavioural indicators in business customer interactions.
How AML UAE Helps Manage Protection Payments Risk
The detection gap that allows protection payment proceeds to enter the financial system undetected is almost always a monitoring calibration problem. Generic transaction monitoring thresholds, incomplete customer risk profiles, and AML training that does not address organised crime typologies create the conditions in which extortion proceeds pass undetected through compliant-looking business accounts.
AML UAE works with regulated entities to close that calibration gap. For financial institutions, this means reviewing and reconfiguring transaction monitoring rule sets to incorporate peer-group benchmarking, sector-adjusted cash norms, and network analytics that detect the hub-and-spoke deposit patterns of protection payment collection networks. For DNFBPs, it means building customer risk profiling frameworks that include geographic crime intelligence and OSINT as explicit inputs alongside the standard documentary checks.
For compliance teams that have already identified suspicious accounts but are uncertain how to proceed, AML UAE provides practical guidance on the STR filing process, goAML platform requirements, and the “without delay” standard under FDL 10/2025 Article 18. Understanding when to file and how to document the suspicion is as operationally important as identifying the red flag in the first place.
AML UAE also provides AML training programmes built around specific typologies, including protection payments. These programmes equip front-line staff and compliance officers with scenario-based recognition skills, not generic awareness.
Closing Summary: Protection Payments
Protection payments are one of the most operationally embedded forms of organised crime money laundering. They are embedded because the criminal proceeds do not require elaborate financial engineering to enter the banking system: they flow through legitimate business accounts, disguised as trading cash, with the victim business functioning as an unwitting laundering vehicle. The compliance risk is real, continuous, and sits inside the institution’s existing customer portfolio.
The legal framework is unambiguous. Federal Decree-Law No. (10) of 2025 Article 2 criminalises money laundering from any predicate offence, including extortion. The STR obligation under Article 18 arises from suspicion and applies without delay. Regulated entities that fail to detect protection payment proceeds in their business account portfolios and fail to report face criminal penalties of up to AED 1,000,000 under FDL 10/2025 Article 28.
The practical response requires three aligned actions: recalibrating transaction monitoring rules to detect sector-adjusted and peer-benchmarked cash flow anomalies, building geographic and crime intelligence into customer risk profiling for business accounts, and ensuring that compliance teams and front-line staff are equipped to recognise and escalate protection payment indicators when they observe them. Institutions that address all three will detect this typology consistently. Those that address only one, typically transaction monitoring, will close some gaps and leave others open.
The challenge with protection payments is not identifying that extortion exists, it is identifying where the money goes afterwards. The cash moves through victim businesses, into shell accounts, and out through correspondent channels. Compliance teams that look only at the criminal group miss three-quarters of the financial footprint. The detection window is the victim business account: that is where the distortion in the cash flow is visible and where the STR obligation most clearly arises.
Frequently Asked Questions
Protection payments are regular cash sums that organised criminal groups extract from businesses or individuals through threats of violence, property damage, or harm. In the context of money laundering, the proceeds of protection payments are illicit funds derived from extortion, a predicate offence under Federal Decree-Law No. (10) of 2025 Article 2. Any financial institution or DNFBP that processes these funds may be handling the proceeds of crime, triggering STR and ongoing monitoring obligations.
Yes. Federal Decree-Law No. (10) of 2025 Article 2 criminalises money laundering in respect of funds derived from any predicate offence without limitation. Extortion, including the collection of protection payments, produces funds that constitute criminal property under FDL 10/2025 Article 1. A prior conviction for extortion is not required for the money laundering offence to apply; suspicion of a connection to criminal proceeds is sufficient to trigger STR filing obligations.
The primary detection signals are cash deposit volumes that exceed industry and size-adjusted peer norms, structured sub-threshold deposits across multiple depositors or branches, cash withdrawals in regular amounts with no corresponding business expense, and rapid outward transfers following cash receipt. Transaction monitoring rules must be calibrated to detect these patterns. OSINT and EDD provide supplementary signals through adverse media coverage and beneficial ownership discrepancies.
Under FDL 10/2025 Article 18 and Cabinet Resolution No. (134) of 2025 Article 18, a regulated entity must file a suspicious transaction report (STR) through the goAML platform without delay. There is no minimum transaction amount and no requirement to confirm that a crime has occurred. Suspicion alone triggers the filing obligation. The compliance officer must not notify the customer that a report has been filed. The prohibition on disclosure is set out operationally in CR 134/2025 Article 19. Criminal consequences for tipping off are addressed under FDL 10/2025 Article 29.
Under FDL 10/2025 Article 28, the criminal penalty for STR failure includes imprisonment and a fine of up to AED 1,000,000.
The criminal group establishes or acquires a shell company with a business bank account. The company purports to provide services, security, consulting, and cleaning to the victim businesses. Victims are instructed to make payments to this company’s account, creating a documentary trail that appears to reflect legitimate commercial transactions. The shell company’s account receives cash deposits described as fee income, which are then transferred to further accounts or used for acquisitions. The shell company has no real employees, no genuine services, and no economic substance.
The sectors at highest exposure to protection payment typologies are hospitality (bars, restaurants, and clubs), construction and contracting, and cash-intensive retail. These sectors combine high natural cash turnover with multiple daily transactions that provide effective cover for protection payment proceeds. Transport and logistics businesses and certain professional services engaged in corporate structuring also present elevated exposure.
The disclosure should be documented immediately and escalated to the compliance officer. An STR must be filed with the UAE FIU through goAML. The compliance officer should assess whether the account relationship should continue and whether law enforcement cooperation is appropriate. The customer must not be informed that an STR has been filed. The institution should consider whether EDD can provide additional intelligence about the criminal network involved.
Does protection payment detection require sector-specific transaction monitoring rules?
Yes. Generic cash threshold rules are insufficient because protection payment proceeds are typically structured to remain below standard thresholds. Effective detection requires peer-group benchmarking that compares a business account’s cash activity against enterprises of comparable size, declared sector, and geographic location. Rules must also be configured to detect patterns, multiple depositors, regular amounts, rapid outward transfers, rather than single large transactions.
Yes. Generic cash threshold rules are insufficient because protection payment proceeds are typically structured to remain below standard thresholds. Effective detection requires peer-group benchmarking that compares a business account’s cash activity against enterprises of comparable size, declared sector, and geographic location. Rules must also be configured to detect patterns, multiple depositors, regular amounts, rapid outward transfers, rather than single large transactions.
Need Help Managing Protection Payment Risks?
Build a stronger AML framework with enhanced due diligence, ongoing monitoring, and suspicious activity reporting procedures tailored to protection payment risks.
About the Author
Pathik Shah
FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)
Pathik is an ACAMS-certified AML consultant specialising in governance, risk, and compliance for regulated entities in the UAE. He brings over 28 years of experience, with 1,000+ hours of AML training and 200+ advisory engagements across DNFBPs, VASPs, and FIs. He supports businesses in aligning with AML/CFT requirements from the CBUAE, DFSA, MoET, MoJ, VARA, CMA, FSRA, and FATF. Known for translating complex regulations into audit-ready procedures, Pathik enables operational clarity and compliance readiness.
Reach Out to Pathik
Share via :