Skip to content

Risk Management & Compliance

FAB’s Risk Management Strategy includes comprehensive Enterprise-wide Risk and Compliance Risk Framework, which are fully aligned with Group’s Vision to drive consistent value for stakeholders through the optimisation of risk and reward. Within this comprehensive framework, we have established robust controls and tools that include:

  • “Three lines of defence” model central to Risk Management Framework, to identify potential risks and gauge the effectiveness of related functions and policies.
  • New Product Approval Policy provides guidelines on developing new products, and our Risk Management team reviews and approves all new products before launch.
  • Risk Appetite Framework includes metrics and thresholds, which form part of the balanced scorecard and performance appraisals of senior executives.
  • Risk-related training to relevant employees that covers Basel III standards, credit risk and modelling, and financial statement analysis. We also provide mandatory training to all employees on general risks, such as data security and money laundering, discussed in other sections of this report.
  • Annual internal surveys to receive employee feedback on managing risks, which help us continuously improve our practices.
  • Robust Business Continuity Framework and Policy, complemented by our Crisis Management Framework and other emergency plans and incident response procedures that are tested regularly and at a minimum on an annual basis, ensure organisational resilience in the event of major or unexpected incidents and crises, such as COVID-19.

Risk management oversight

Overall accountability for Risk Governance lies with the Board Risk and Compliance Committee (BRCC), which develops and oversees the Group Risk and Compliance strategies, appetites and policy guidelines and monitors adherence to these.

Assisting the BRCC in carrying out these functions are Group Risk Committee (GRC), Group Operational Fraud Risk Committee (GOFRC), Group Technology Risk and Information Security Committee (GTRISC), and Group Compliance Committee (GCC), as well as several sub-committees such as the IFRS 9 Group Steering Committee, Model Risk Management Committee that oversee specific risk responsibilities.

Risk management framework

First Abu Dhabi Bank’s Board of Directors, Group Chief Executive Officer and Executive Management provide oversight of our Three Lines of Defence:

1st Line of Defence

  • Execute processes and controls
  • Business and Enabling functions
  • Own, supplement and operate within the Risk Appetite, Limits and Framework

2nd Line of Defence

  • Design and facilitate proactive Risk Management
  • Group Risk Management and Group Compliance
  • Design and monitor Risk Appetite, Limits and Framework based on Group’s Strategy

3rd Line of Defence

  • Independent Assurance
  • Group Internal Audit
  • Provide independent assurance on the adequecy and effectiveness of the Internal Control, Risk Management, Governance, System and Processes
Annual Report

Information Security & Data Privacy

The very nature of our business is based on safeguarding customers and their assets, and personal information is an integral component of those assets. That is why protecting the privacy of our clients and handling the sensitive information they entrust to us will always be a top priority at FAB.

Group Information Security and Data Privacy policies and procedures are periodically reviewed and approved by the Board.

FAB’s information security/cybersecurity risk, challenges, regulatory requirements, and initiatives are discussed and reviewed by the Group Technology Risk and Information Security Committee (GTRISC) on a bi-monthly basis and the Board Risk and Compliance Committee (BRCC) on a quarterly basis.


We have adopted a Defence in Depth Approach to effectively manage our Information Security and Data Privacy Programme. A multi-layered programme in place to protect and ensure the responsible use of personal data. Aligned with information security standards, such as PCI-DSS, Swift CSCF and UAE IA standards, the programme includes:

  • Security and privacy policies, procedures, and protocols, such as strong customer authentication methods
  • Secure data storage areas with employee clearance requirements to minimise the risk of unauthorised data access
  • A comprehensive data leakage prevention strategy

We have implemented a robust Technology Risk Management (TRM) practice, in alignment with Enterprise Risk Management, to identify the critical information security control objectives that help us evaluate adequacy of security controls, from both control design and control operation perspectives, for all technology implementations at FAB. A robust methodology is inducted to dynamically identify cyber threats based on the security capabilities.

We have adopted cloud security tools to eliminate cloud security blind spots and simplify management of compliance in cloud environments meeting the FAB Cloud strategy and regulatory mandates.

We have built robust data protection, data classification and data encryption techniques, network security (e.g., firewalls) and other tools into our products, services, and technologies. Sophisticated systems are in place to continuously monitor suspicious activity and thwart cyber-attacks in an evolving threat landscape, and FAB works closely with government agencies and other financial institutions to share security intelligence and analytics.

We conducted a cyber-war gaming exercise in collaboration with the Central Bank of the UAE to test the UAE banking sector’s cyber resilience, as well as strengthen its capability to deal with increasingly sophisticated cyber-attacks.

We perform periodic testing and security assessments, and our 24/7 security monitoring team reviews security events and incidents. Through our Vendor Risk Framework, we ensure that all third parties’ relationships are initiated based on comprehensive due diligence, and that risk-focused controls and processes are in place before contract signing, which reduce the risk of data breach, reputational damage, and inability to comply with legal or regulatory requirements. To counter the increasing software supply chain attacks, we conduct vendor due diligence on third, fourth and fifth party’s, protecting our business clients and customers.

Employee and customer education

Employee education is a key cornerstone of our data governance programme. We provide mandatory training (e-learning and classroom based), promote good privacy and security practices among our employees and contractors, and test compliance with these practices through periodic “phishing” simulations. In addition, we have a customer awareness programme in which we communicate the importance of customer vigilance regarding online safety and protection of their accounts, financial information, and devices.

Consumer protection regulation

We engaged various stakeholders including Business teams for a number of initiatives under the Consumer Protection Regulation (“Regulation”). Relevant education sessions covering Data Privacy aspects of the Regulation were provided. Control objectives were co-ordinated with Business Units to meet the principles and requirements of the Regulation. Policies were created to demonstrate the Bank’s compliance with the Regulation in respect of Data Privacy, Management and Protection aspects.

Routine assessments are performed to identify possible vulnerabilities on all Bank assets and infrastructure, including payment card systems. Methods adopted include reviewing software asset inventories, extending the identification to third-party applications and vendors, using various tools to scan and continuous monitoring of logs to identify matching patterns from cyber intelligence feeds from cybersecurity partners. The use of advanced analytics also provides us with insights and real-time data to uncover and act on potential threats.

Top Emerging Risks & FAB Mitigants

Credit Risk

In 2021, the banking sector witnessed challenges in asset-quality indicators and the higher cost of risk as the true impact of 2020 started reflecting and forbearance measures were being lifted in the second-half 2021.

During the year, FAB applied strict underwriting controls, carried comprehensive and continuous portfolio reviews, strengthened its early warning mechanism and provided necessary support to its clients to ensure that its asset quality indicators remain within the set Risk Appetite threshold.

FAB will continue to enhance its credit risk underwriting and monitoring framework, portfolio review mechanism and follow prudent provisioning norms so that asset growth and quality is well balanced.

Model Risk Management

In 2021, banks witnessed an increasing role of models in decision-making, requiring continuous availability of ‘robust and relevant’ models. The continuation of COVID-19 related economic uncertainties also provided unprecedented challenges for timely and accurate model risk assessment.

During the year, the Bank strengthened its model functions by formally introducing a model risk management unit and management committee. Various policies and procedures were rolled out towards effective implementation of model lifecycle management.

FAB will seek deeper engagement with market participants and regulators to refine model management techniques. The ongoing work with a global player for an agile model development and deployment platform is due for completion in 2022.

Climate Risk

Climate change has become one of the most material issues facing our society today. To promote UAE’s vision in becoming net zero by 2050, FAB is integrating climate stress testing into the existing risk management framework as well as financing the transition to a low carbon economy.

In 2021, FAB joined the Net-Zero Banking Alliance (NZBA), becoming the first UAE and GCC bank to join the alliance. We have also developed an ESG strategy and risk framework. The ESG risk framework includes a policy, governance structure, risk appetite, assessment process, risk disclosures, pillar II and climate stress testing methodology, tools for ESG risk assessment, disclosures and training and awareness.

Aided by the ESG framework, FAB will continue to enhance the identification, oversight and management of climate risk and enable our clients to transition towards a climate-neutral economy through innovative financing and advisory services.

Market and Liquidity Risk

Overall, positive moods prevailed in the global markets during 2021 despite some volatility mainly driven by expected tightening of monetary policies, increasing inflation, COVID-19 variants spreading fast and the energy crisis in Europe and Asia.

Equity markets, oil and US treasury yields edged higher during the year while credit spreads tightened on most of the developed markets (DM) and GCC names. In the emerging markets (EM) space however, credit spreads and FX levels were adversely impacted. Liquidity remained in abundance for most of 2021.

In 2022, we expect major central banks to rollout aggressive policy tightening including multiple rate hikes and reduction of the QE (quantitative easing) / asset purchase programmes. However, pressure on liquidity is not anticipated despite the monetary tightening, aided by a positive outlook on oil prices.

In 2021, FAB had positioned itself to benefit from the market conditions by investing opportunistically during volatile periods. It also reduced its exposures to some of the EM markets. Looking ahead, FAB will continue to build positions that would benefit from the expected positive move in oil markets and DM equities, whilst reducing exposures to weak EM economies. It has also positioned to benefit from the rate hikes expected in 2022 as rate sensitive assets are expected re-price faster than rate sensitive liabilities.

FAB will continue to maintain its strong and diversified liquidity position as it remains the banker of choice for Government and key clients.

IBOR Transition

LIBOR ceased for EUR, GBP, CHF and JPY on 31 December, 2021, while the transition for USD was postponed by the regulators to June 2023 to provide institutions enough time to implement the required changes.

FAB completed the IBOR transition for EUR, GBP, CHF and JPY products and is working with industry participants, regulatory working groups and counterparties to ensure an orderly transition within the required timelines for the USD products.

Operational and Fraud Risk

Banks worldwide faced multi-dimensional Operational Risks during the pandemic years (2020 and 2021) through business disruption, process and system failures, and internal / external frauds. The future operational risk landscape includes heightened cyber threats, 3rd party and outsourcing risk and conduct risk.

To mitigate these risks, FAB has introduced enhanced internal control monitoring mechanism, identified key personnel and critical processes, and implemented scalable work-from-home (WFH) solution.

To combat fraud risks technology solutions like – DSK (Digital Secure Key) and FaceTek solutions were implemented to prevent on-boarding and transactional fraud risks. Comprehensive set of guidelines and awareness messages have been published for customers and staff to educate them on our efforts to fight against fraud.


In the past years, cybersecurity threats have increased primarily due to increased ransomware attacks, remote working, data security risks, and a need for new emerging cyber skillsets.

FAB has adopted an in depth strategy defence enabled with security controls, cyber monitoring, continuous analysis of network traffic and enhancements to logging and encryptions in progress. FAB has implemented the Optical Character Recognition (OCR) capability to enhance Data Leakage Prevention (DLP) and auto data classification for data security.

Cloud Security Posture Management (CSPM) and Container Workload Protection technologies (CWPP) were implemented to protect cloud environment from both internal and external factors. Due to the pandemic, remote working security controls have been strengthened with Secure- Encrypted Virtual Private Network (VPN), DLP, watermarking and leveraging Virtual Desktop Infrastructure (VDI) where required.

FAB will continuously strengthen its cyber defences, facilitated by strong controls to mitigate advanced cyber threats, and its enhanced capability in threat detection and access controls.

Business Continuity

The persistent situation of the COVID-19 outbreak continued to have a mixed impact on the employees’ health and safety and relentlessly tested the business and operational resilience capabilities of the organisation in 2021. A people-first approach and convening of crisis management teams, helped FAB to continuously assess the COVID-19 introduced risks and respond in line with regulatory directions. In addition, recovery strategies like work-from-home (WFH), established early in 2020, helped the Bank to sail through the pandemic challenges of 2021.

Organisations globally are staying on alert and monitoring the pandemic situation to return to ‘normal’, albeit maintaining alternative working arrangements as required.

FAB will continue to take a people-first approach, while strictly adhering to the health authority and government guidelines. IT resilience and disaster recovery planning will remain as another area of attention to serve up to the expectations of customers, partners and regulators.

Fintech Disruption

Since banking is increasingly becoming digital, digitalisation will dictate the future in several areas of banking including customer experience, distribution channels and cost structures.

FAB has put in place several partnerships with new entrants and tech companies to ensure that customers can make payments quickly and easily, including but not limited to digital wallets, remittance solutions, and services for merchants. To enhance customer screening and access security, FAB has implemented DSK (digital secure key) and Facetek technologies on its mobile platforms.

FAB is also preparing itself to embrace open banking, by enhancing its open API capabilities and API security capabilities.

Risks Arising from the Receipt of Services from Third Parties

FAB will continue to enhance the third-party risk management programme to help ensure engagements comply with the third-party risk policy and required standards. We work closely with providers to monitor performance.

In 2022, we will continue to strengthen our third-party risk framework and improve our technology, process and people capabilities.

Compliance at FAB in accordance with the UAE Central Bank corporate governance requirements, the Group Compliance reporting line is to the Group Chief Executive Officer. The Group Head of Compliance also reports directly to the Chair of the Board Risk and Compliance Committee (BRCC).

Compliance manages and acts as the principal interface between FAB and its banking regulators in all locations. Dedicated local Compliance Officers support all bank branches and subsidiaries across the network. Central teams of subject matter experts provide advice, guidance and support for Regulatory Compliance, Financial Crime Compliance and Compliance Technology. A Compliance Monitoring and Assurance team undertakes independent testing and reviews of processes and procedures to ensure compliance with, internal and external, regulatory obligations.

The Compliance Risk Framework is aligned with the vision and strategy of FAB Group, to ensure appropriate visibility, understanding, oversight and management of Compliance Risks. Within this framework a number of controls, key performance and risk indicators and thresholds have been developed, including Group Compliance operating as part of a second line of defence within FAB’s three lines of defence model, providing independent oversight, advice and guidance for the Bank.

Compliance Risk Appetite metrics are included in the Balanced Scorecards and Performance Appraisals for Senior Management. Feedback on any inappropriate behaviours identified during the year is also considered during the year-end review process.

Mandatory Annual Compliance Training requires completion by all staff, in addition to specific tailored training for certain areas such as trading, sales and relationship management. The Board also receives annual Compliance Training updates.

Annual Enterprise-Wide Compliance Risk Assessments are undertaken for all businesses and geographic locations, covering inherent risks and controls over Regulatory Risks as well as Financial Crime Risks. Following reviews against Compliance Risk Appetite, concurrence from BRCC and GCC are obtained for relevant mitigating plans and actions.

Staff personal conduct is managed through individual conflicts processes, including personal account dealing declarations, outside business interests notifications and oversight of gifts and entertainment. Bank conduct and associated conflicts are managed through surveillance and other activities reviewed through the Group’s Compliance Control Room.

Compliance Oversight

Overall responsibility for the development of FAB’s Compliance Strategy, Risks, Appetite and Governance is delegated to the BRCC, including oversight of implementation. The Group Compliance Committee (GCC), chaired by the Group Chief Executive Officer, assists the BRCC in undertaking its compliance responsibilities.

Financial Crime

FAB has invested heavily in strategies, frameworks, systems and controls, as well as subject matter expert resources, to prevent and detect criminal activities, including Money Laundering, Bribery and Corruption, Terrorist Financing and to satisfy International Sanctions requirements.

Money Laundering scenarios and typologies are regularly reviewed and updated to ensure that they align with the Bank’s products and services, as well as any changes in criminal behaviours identified through regulatory investigations or market updates.

Policies and procedures are periodically reviewed and updated to reflect new and amended regulatory requirements and FAB’s Risk Appetite. Staff communications and education programmes are in place to ensure that they understand and apply current requirements.

Customer and transaction screening

To assure that FAB’s customers and their transactions are appropriately identified as legitimate the Bank has adopted international best practice for its due diligence processes, both at initial onboarding as well as throughout the lifetime of the relationship. A variety of tools and systems are in place to facilitate the detection and reporting to the authorities of any criminal behaviours identified or suspected. Customer and Payment Screening is undertaken against lists provided by the UN, US, UK, EU and the UAE, in addition to any other required local country lists.

Regulatory change

As with other regulated Financial Institutions, FAB continues to identify a significant volume of material new and amended regulations that require action to ensure compliance, which range from significant groupwide programmes to local process and system changes. During 2021, FAB was directly impacted by over 500 such changes, which require analysis, engagement with relevant stakeholders, development and implementation of action plans, reporting to senior management and oversight of the eventual closure of projects.

Staff training

FAB treats the training and education of its staff extremely seriously and ensures that every year all staff complete mandatory training covering Regulatory Risks and Financial Crime Compliance. During the year 99% (6361) of all staff completed the required training, the balance being unavailable for a variety of reasons, such as maternity leave. Additionally, targeted training was provided in 34 sessions for identified higher risk areas, including Senior Management and the Board (1911 staff).

Supervisory college

Every two years, the FAB’s Home State Regulator, the Central Bank of the UAE, invites the Bank’s Host State Regulators covering FAB’s banking activities across the network to discuss its risk profile, strategy and key activities. The initial conference took place in November 2019, and a further, virtual, conference was hosted in December 2021. The FAB Group provided a series of presentations and updates to the participants, through its Senior Management.

Financial services industry

Banks need to continue to invest heavily in compliance capabilities to mitigate the risk that their products and services are used by Criminal Enterprises to transfer and invest their illicit gains. As they develop more sophisticated activities to avoid detection, so the Bank’s processes and systems require regular update and change. Changing regulators’ expectations also need to be identified, understood and appropriately satisfied, which is a continual cycle of reviews and validations.

COVID-19 has not diminished regulators’ enforcement actions and penalties, which have continued to focus mainly on Financial Crime Compliance failings, in particular money laundering and sanctions. While the total value of fines has remained roughly the same (c. USD 4.5 billion) for the last few years, the trend appears to be shifting to a higher volume of lower value penalties. Also, business and individual conduct failings appear as an increasing area of concern to authorities. Global organisations such as FATF (Financial Action Task Force) view the imposition of fines and other penalties as evidence of whether regulatory requirements are being effectively policed and action taken for failings.


First Abu Dhabi Bank

First Abu Dhabi Bank P.J.S.C

GET - On the app Store