SIMPAISA GROUP - OPERATING MODEL¶
Appendices A, B, and F¶
Version 1.0 | April 2026¶
Document Owner: Chief Digital Officer¶
APPENDIX A - GLOSSARY OF TERMS¶
This glossary defines all material payments, regulatory, technical, and business terms used throughout the Simpaisa Group Operating Model. Where a term has a distinct meaning in the context of Simpaisa's operations, that context is noted. Terms are listed alphabetically within each category.
A.1 Payments Terms¶
Acquiring The process by which a financial institution (the acquirer) processes card and electronic payment transactions on behalf of a merchant. The acquirer accepts funds on the merchant's behalf and routes them through card schemes and payment networks. Simpaisa acts as an acquirer-side aggregator in certain corridors.
Chargeback A forced reversal of a payment transaction, typically initiated by a card issuer at the request of a cardholder disputing a transaction. Chargebacks carry financial penalties for merchants and result in the return of funds to the cardholder. Distinguished from a refund, which is merchant-initiated.
Collection The act of receiving funds from a payer (end customer or business) on behalf of a payee (merchant or partner). Synonymous with Pay-In in Simpaisa's product taxonomy. Collections may occur via mobile wallets, cards, bank transfers, or over-the-counter channels.
Correspondent Banking An arrangement whereby one bank (the correspondent) provides services to another bank (the respondent) in a jurisdiction where the respondent has no physical presence. Used in cross-border remittances to move funds between countries. Nostro and vostro accounts underpin correspondent banking relationships.
CVV (Card Verification Value) A three- or four-digit security code printed on a payment card, used as an additional authentication factor for card-not-present transactions. CVV data must not be stored post-authorisation under PCI DSS rules.
DCB (Direct Carrier Billing) A payment method in which charges are applied directly to a mobile subscriber's carrier bill or pre-paid balance, without requiring a bank account or payment card. Active in Simpaisa's Pakistan operations via Mobilink, Telenor, Ufone, and Zong.
Disbursement The outbound transfer of funds from Simpaisa or a partner to an end beneficiary. Synonymous with Pay-Out. Disbursements are executed via mobile wallets, bank transfers (IBFT, NPSB, BEFTN), over-the-counter agents, or digital wallet rails, depending on the destination corridor.
Fallback Routing An automated or manually triggered mechanism that redirects a payment transaction to an alternative processing channel, gateway, or network when the primary route fails or is unavailable. Critical to Simpaisa's resilience architecture and SLA commitments.
Float The pool of pre-funded or in-transit funds held by Simpaisa in partner accounts or internal ledgers to facilitate real-time or near-real-time disbursements. Float management is a treasury-critical function; insufficient float causes disbursement failures. See also Pre-Funding.
Gross Settlement A settlement methodology in which each transaction is settled individually and in full, in real time or near real time, rather than being netted against other transactions. Contrasts with Net Settlement. Gross settlement eliminates intraday credit risk but requires higher liquidity.
GTV (Gross Transaction Value) The total monetary value of all payment transactions processed through the platform in a given period, before deducting fees, refunds, or chargebacks. The primary top-line volume metric for Simpaisa's payment business. Distinct from revenue, which is derived from MDR and FX spread applied to GTV.
IBFT (Inter-Bank Funds Transfer) A domestic electronic payment mechanism enabling real-time or near-real-time transfers between bank accounts held at different financial institutions. In Pakistan, IBFT operates via the 1LINK network. Used for both pay-in (collection from bank accounts) and pay-out (disbursement to bank accounts) use cases.
Interchange The fee paid by a merchant's acquiring bank to a cardholder's issuing bank each time a card transaction is processed. Set by card schemes (Visa, Mastercard). Interchange forms part of the MDR charged to merchants.
Issuing The function of providing payment instruments (cards, wallets, virtual accounts) to consumers and businesses. The issuer bears the primary credit and fraud risk for card transactions. Simpaisa is not an issuer in most markets but white-label wallet provisioning edges toward issuing functionality.
MDR (Merchant Discount Rate) The fee charged to a merchant as a percentage of each transaction value, paid to the payment service provider in exchange for processing services. MDR is Simpaisa's primary revenue mechanism for collections. Rates vary by payment method, corridor, and merchant volume tier.
Net Settlement A settlement methodology in which multiple transactions are aggregated over a defined cycle (typically daily), and only the net position - the difference between total collections and total disbursements - is transferred. Reduces liquidity requirements but introduces intraday credit risk.
Nostro Account An account held by a bank in a foreign currency at a correspondent bank in another country. The term is from the perspective of the holding bank ("our account, held by you"). Simpaisa's treasury team monitors nostro balances across corridors to ensure sufficient float for disbursements.
OTC (Over-The-Counter) A cash-based payment or disbursement channel conducted at a physical agent location, bank branch, or retail outlet rather than digitally. Significant in Pakistan (branchless banking agents, HBL Konnect branches) and Bangladesh. OTC channels are operationally intensive but serve unbanked and underbanked populations.
PAN (Primary Account Number) The 14–19 digit numeric identifier embossed on a payment card, which uniquely identifies the cardholder's account with the issuing bank. PAN data is classified as Sensitive Authentication Data (SAD) under PCI DSS and must be stored encrypted or tokenised.
Pay-In See Collection.
Pay-Out See Disbursement.
Pre-Funding The advance placement of liquidity into partner or correspondent accounts prior to disbursement execution. Required in markets where real-time settlement from collections to disbursements is not structurally possible. Pre-funding levels are calculated based on projected corridor volume and float velocity.
Reconciliation The process of matching and confirming that payment records across multiple systems - Simpaisa's internal ledger, partner/bank statements, and client records - are in agreement. Discrepancies (breaks) are investigated and resolved. Simpaisa operates a three-way reconciliation model: internal ledger, partner/bank, client.
Refund A merchant-initiated return of funds to a customer following a legitimate dispute, return, or cancellation. Distinct from a chargeback, which is cardholder- and issuer-initiated. Refunds are processed via the original payment rail where possible.
Settlement The final transfer of funds between parties to a payment transaction, completing the financial obligation. Settlement timelines vary by corridor and payment method: same-day, T+1, or T+2 are the standard cycles in Simpaisa's markets.
3D Secure (3DS) An authentication protocol designed to reduce fraud in card-not-present transactions by providing an additional verification step (e.g., OTP, biometric) between the cardholder, the issuing bank, and the merchant. Current standard is EMV 3D Secure (3DS2), which supports frictionless flows.
Tokenisation The replacement of a sensitive payment credential (PAN, bank account number) with a non-sensitive substitute token that has no exploitable value outside the specific tokenisation system. Reduces the PCI DSS scope for merchants and minimises breach exposure.
A.2 Regulatory Terms¶
AML (Anti-Money Laundering) The body of laws, regulations, controls, and procedures designed to prevent criminals from disguising illegally obtained funds as legitimate income. AML programmes include customer due diligence, transaction monitoring, suspicious activity reporting, and record keeping. A core regulatory obligation across all Simpaisa jurisdictions.
BFIU (Bangladesh Financial Intelligence Unit) The national financial intelligence unit of Bangladesh, established under Bangladesh Bank. Responsible for receiving, analysing, and disseminating financial intelligence related to money laundering, terrorist financing, and related offences. Directly supervises Simpaisa's Bangladesh entities on AML/CFT compliance.
CBI (Central Bank of Iraq) The central bank and primary financial regulator of Iraq. Governs Simpaisa's branch office operations in Iraq, including payment service authorisation and anti-money laundering requirements.
CDD (Customer Due Diligence) The process of identifying and verifying a customer's identity, understanding the nature of their business, and assessing the risk they pose. CDD is a foundational AML/CFT control applied at onboarding and on an ongoing basis. See also EDD, SDD.
CFT (Counter-Financing of Terrorism) Controls and obligations designed to prevent the financial system from being used to fund terrorist activities. Closely linked to AML obligations; most jurisdictions combine the two into a single AML/CFT regulatory framework.
CPF (Counter-Proliferation Financing) Controls targeting the financing of weapons of mass destruction (WMD) proliferation. An increasingly explicit component of international standards (FATF Recommendation 7) and relevant to Simpaisa's operations given its cross-border presence and exposure to sanctioned jurisdictions.
DACI See Business Terms (A.4).
DFSA (Dubai Financial Services Authority) The independent financial regulator of the Dubai International Financial Centre (DIFC). Simpaisa Technologies is pursuing a DFSA Category 3D (Providing Money Services) licence, which requires resident governance, minimum capital of USD 300,000–500,000, a Senior Executive Officer, and an MLRO.
EDD (Enhanced Due Diligence) A higher-intensity CDD process applied to customers, counterparties, or transactions assessed as higher risk - for example, Politically Exposed Persons, high-risk jurisdictions, or complex ownership structures. EDD may involve source of funds/wealth verification, senior management sign-off, and enhanced ongoing monitoring.
FATF (Financial Action Task Force) The inter-governmental body that sets international standards for combating money laundering, terrorist financing, and proliferation financing. FATF's 40 Recommendations and its grey/black list directly influence the regulatory requirements in all Simpaisa jurisdictions. Nepal, Pakistan, and Bangladesh have each been on FATF grey lists, affecting Simpaisa's compliance posture.
FCA (Financial Conduct Authority) The financial regulator of the UK, responsible for authorising and supervising payment institutions, electronic money institutions, and money service businesses operating in the UK. Commerce Plex Limited (UK) is registered with HMRC as an MSB and is subject to FCA scrutiny for payment services activity.
FINTRAC (Financial Transactions and Reports Analysis Centre of Canada) Canada's financial intelligence unit and AML/CFT supervisor. Both Simpaisa CA (MSB) and Commerce Plex (FMSB) are registered with FINTRAC and must comply with the Proceeds of Crime (Money Laundering) and Terrorist Financing Act.
Fit and Proper A regulatory assessment applied to individuals holding controlled functions (directors, senior executives, compliance officers) at licensed financial institutions. Evaluates honesty, integrity, reputation, competence, and financial soundness. Required by DFSA, MAS, SBP, Bangladesh Bank, NRB, and other regulators for key personnel at Simpaisa.
FMSB (Foreign Money Services Business) A category of money service business registration in Canada for entities operating in Canada but incorporated abroad. Commerce Plex Limited holds FMSB registration with FINTRAC for its Canadian remittance operations.
KYB (Know Your Business) The due diligence process applied to business customers and merchant partners - verifying corporate registration, beneficial ownership, business activity, and risk profile. Analogous to KYC for individuals. KYB is the primary onboarding gateway for Simpaisa's merchant relationships.
KYC (Know Your Customer) The process of verifying the identity of individual customers and assessing their risk profile, as required under AML/CFT regulations. KYC includes identity document verification, address confirmation, and, where applicable, source of funds enquiry.
MAS (Monetary Authority of Singapore) Singapore's central bank and integrated financial regulator. Simpaisa Holdings PTE. Limited (HoldCo) is incorporated in Singapore and operates within the MAS regulatory framework. MAS standards inform Simpaisa's group-level governance and compliance programme.
MLRO (Money Laundering Reporting Officer) The designated individual within a regulated firm responsible for receiving internal suspicious activity reports, assessing them, and filing external Suspicious Activity Reports (SARs) or Suspicious Transaction Reports (STRs) with the relevant financial intelligence unit. A mandatory controlled function under most of Simpaisa's operating licences.
MSB (Money Services Business) A category of financial services business - including money transfer, currency exchange, and cheque cashing - subject to AML/CFT registration requirements in various jurisdictions. Simpaisa CA holds MSB registration with FINTRAC in Canada.
PEP (Politically Exposed Person) An individual who holds, or has held, a prominent public function - such as a head of state, senior politician, senior government official, judicial officer, or military commander - as well as their immediate family members and close associates. PEPs are subject to EDD under most jurisdictions' AML/CFT frameworks.
PSO (Payment System Operator) A licence category in Bangladesh and Pakistan granted by Bangladesh Bank and the State Bank of Pakistan respectively, authorising an entity to operate a payment system or payment network. Soft Tech Innovation/aamarPay holds a PSO licence from Bangladesh Bank.
PSP (Payment Service Provider) A broad category covering entities that provide payment services to merchants, consumers, or businesses. The term is used both generically and as a specific licence category in some jurisdictions (e.g., NRB in Nepal). Simpaisa positions itself as a cross-border PSP.
SAMA (Saudi Central Bank) The central bank and financial regulator of Saudi Arabia, responsible for licensing Payment Service Providers and Payment Organisations. Simpaisa's Saudi Arabia expansion strategy includes obtaining a SAMA Major Payment Institution licence in Phase 3 of the market entry plan.
SAR (Suspicious Activity Report) A confidential report filed by a regulated firm with its financial intelligence unit when it suspects that a customer or transaction may be connected to money laundering, terrorist financing, or other financial crime. Filing a SAR discharges the firm's reporting obligation; it does not constitute a finding of guilt. Used primarily in Canada and the UK.
SBP (State Bank of Pakistan) The central bank of Pakistan. The primary regulator for payment services in Pakistan. PublishEx Solutions PVT Limited operates under SBP Schedule H authorisation (UBL/1LINK) and branchless banking agency arrangements. SBP's oversight encompasses payment system licensing, AML/CFT compliance, and foreign exchange controls.
SDD (Simplified Due Diligence) A reduced-intensity CDD process permitted for customers, products, or transactions assessed as presenting lower risk. SDD involves verification of identity but with fewer enquiries into business purpose or source of funds. Must be justified by a documented risk assessment.
SECP (Securities and Exchange Commission of Pakistan) The securities and corporate regulator of Pakistan. SECP oversees corporate registration and securities activity in Pakistan, including some aspects of fintech regulation. Relevant to Simpaisa's Pakistan entity (PublishEx) and any future EMI licence application in Pakistan.
SEO (Senior Executive Officer) A specific controlled function designation under DFSA regulations, requiring an individual resident in the UAE who is responsible for the day-to-day management of a DFSA-authorised firm. Mandatory for Simpaisa's planned DFSA Category 3D licence.
STR (Suspicious Transaction Report) The equivalent of a SAR in many Asian jurisdictions, including Pakistan (SBP) and Bangladesh (Bangladesh Bank/BFIU). The terminology differs by jurisdiction but the underlying obligation - to report suspected financial crime activity to the national FIU - is equivalent.
Three Lines of Defence A governance framework for risk management in which the first line (business operations) owns and manages risk day-to-day; the second line (risk and compliance) sets standards, provides oversight, and challenges the first line; and the third line (internal audit) provides independent assurance over the effectiveness of the first two lines. Adopted as Simpaisa's enterprise risk governance model.
Travel Rule FATF Recommendation 16, which requires financial institutions and VASPs to pass originator and beneficiary information alongside cross-border wire transfers and virtual asset transfers above specified thresholds. Compliance with the Travel Rule is a key obligation for Simpaisa's remittance and crypto off-ramp operations.
VASP (Virtual Asset Service Provider) An entity that conducts exchange, transfer, safekeeping, administration, or participation in financial services related to virtual assets (cryptocurrencies). VASPs are subject to AML/CFT regulation under FATF standards and, increasingly, domestic legislation. Relevant to Simpaisa's USDT → PKR crypto off-ramp product.
Sanctions Screening The process of checking customers, counterparties, transactions, and related parties against applicable sanctions lists (OFAC, UN, EU, HM Treasury, FATF) to identify and block or escalate prohibited dealings. Simpaisa operates sanctions screening via the Eastnets platform across all corridors.
A.3 Technical Terms¶
Active-Active A high-availability architecture in which two or more instances of a system simultaneously serve live traffic, enabling seamless failover without service interruption if one instance fails. Contrasts with Active-Passive, where the standby instance only activates upon failure of the primary.
ALB (Application Load Balancer) An AWS managed load balancing service operating at Layer 7 (application layer) of the OSI model. Routes incoming HTTP/HTTPS traffic to target groups based on content-based rules. Used in Simpaisa's AWS infrastructure to distribute API traffic across backend services.
AoC (Attestation of Compliance) A formal document completed by a Qualified Security Assessor (QSA) or self-assessed entity, confirming that a PCI DSS assessment has been completed and that the entity meets (or is working towards) compliance. Required annually for entities that store, process, or transmit cardholder data.
API (Application Programming Interface) A defined interface through which software systems communicate and exchange data. Simpaisa's core integration model is API-first: merchants and partners connect to Simpaisa's platform via documented REST APIs. APIs govern payment initiation, status queries, webhook delivery, and reconciliation data retrieval.
CDN (Content Delivery Network) A distributed network of edge servers that cache and deliver web content from locations geographically close to end users, reducing latency and improving performance. AWS CloudFront serves as Simpaisa's CDN layer.
CDE (Cardholder Data Environment) The collection of people, processes, and technology that stores, processes, or transmits cardholder data or sensitive authentication data. The CDE is the primary scope of PCI DSS assessment and must be strictly controlled and isolated from out-of-scope systems.
CI/CD (Continuous Integration / Continuous Deployment) A software engineering practice in which code changes are automatically built, tested, and deployed to production in short, frequent cycles. Simpaisa's CI/CD pipeline is built on Jenkins, with Terraform and Ansible for infrastructure automation. Enables rapid, safe feature delivery.
DAST (Dynamic Application Security Testing) Security testing methodology in which an application is tested in its running state (black-box testing) to identify vulnerabilities such as injection flaws, authentication weaknesses, and misconfigurations. Complements SAST, which analyses source code statically.
DDoS (Distributed Denial of Service) A cyberattack in which a large volume of illegitimate traffic is directed at a target system from multiple sources simultaneously, overwhelming its capacity and rendering it unavailable to legitimate users. AWS WAF and Shield provide DDoS mitigation for Simpaisa's infrastructure.
HMAC (Hash-Based Message Authentication Code) A cryptographic mechanism that combines a cryptographic hash function with a secret key to verify both the integrity and the authenticity of a message. Widely used in API security to authenticate webhook payloads and API requests. Simpaisa uses HMAC-SHA256 for API signature verification.
IaC (Infrastructure as Code) The practice of managing and provisioning cloud infrastructure through machine-readable configuration files rather than manual processes. Simpaisa uses Terraform for IaC, enabling repeatable, auditable, and version-controlled infrastructure deployment.
ISO 27001 The international standard for information security management systems (ISMS), published by the International Organisation for Standardisation. Specifies requirements for establishing, implementing, maintaining, and continually improving an ISMS. Simpaisa holds ISO 27001 certification, managed by the CISO organisation.
MTD (Maximum Tolerable Downtime) The maximum duration for which a business process or system can be unavailable before the disruption causes unacceptable consequences for the organisation. Used in BCP/DR planning to establish recovery objectives. See also RTO and RPO.
Multi-AZ (Multi-Availability Zone) An AWS deployment pattern in which resources are replicated across multiple physically separate data centre locations (Availability Zones) within an AWS region, providing resilience against localised infrastructure failures. Simpaisa's production systems are deployed in a Multi-AZ configuration.
NLB (Network Load Balancer) An AWS managed load balancing service operating at Layer 4 (transport layer) of the OSI model. Handles high-throughput, low-latency TCP/UDP traffic. Used for Simpaisa's non-HTTP workloads requiring extreme performance.
PCI DSS (Payment Card Industry Data Security Standard) A set of security standards designed to ensure that all entities that store, process, or transmit credit card information maintain a secure environment. Governed by the PCI Security Standards Council. Compliance is mandatory for any entity handling cardholder data. Simpaisa's PCI DSS programme is owned by the CISO.
QSA (Qualified Security Assessor) An independent security firm certified by the PCI Security Standards Council to assess and validate compliance with PCI DSS. QSAs conduct on-site assessments and issue Attestations of Compliance (AoC) and Reports on Compliance (RoC).
REST (Representational State Transfer) An architectural style for distributed hypermedia systems, commonly used for web APIs. RESTful APIs use standard HTTP methods (GET, POST, PUT, DELETE, PATCH) and status codes. Simpaisa's external-facing integration layer is entirely RESTful.
RPO (Recovery Point Objective) The maximum acceptable amount of data loss, measured in time, that an organisation can tolerate following a disruption. Defines the frequency of data backups and replication. A RPO of one hour means the organisation can tolerate losing up to one hour of transactions.
RTO (Recovery Time Objective) The maximum acceptable duration within which a system or process must be restored following a disruption. Drives the design of redundancy, failover, and recovery procedures. Simpaisa's platform targets an RTO consistent with a 99.9%+ uptime SLA.
SAST (Static Application Security Testing) Security testing methodology in which source code, bytecode, or binary code is analysed without executing the application, to identify vulnerabilities during development. Simpaisa uses Snyk for dependency scanning within its SAST programme.
SDK (Software Development Kit) A packaged set of software development tools, libraries, documentation, and sample code that enables developers to integrate with a platform or service. Simpaisa provides SDKs to accelerate merchant and partner technical integration.
SIEM (Security Information and Event Management) A security platform that aggregates, correlates, and analyses log and event data from across an organisation's IT infrastructure to detect security threats in real time. Supports Simpaisa's SOC operations alongside Datadog, Amazon CloudWatch, and CyGlass.
SRE (Site Reliability Engineering) A discipline that applies software engineering principles to infrastructure and operations, with the goal of creating scalable, highly available, and reliable systems. SRE practices - including SLAs, SLOs, error budgets, and runbooks - are embedded in Simpaisa's DevOps and H-DevOps function.
TLS (Transport Layer Security) The cryptographic protocol that provides encrypted communications over a network. TLS 1.2 is the minimum acceptable version for Simpaisa's external API connections; TLS 1.3 is preferred. All Simpaisa API endpoints enforce HTTPS/TLS.
VPC (Virtual Private Cloud) An isolated, logically partitioned section of AWS cloud infrastructure in which Simpaisa deploys its computing resources, with full control over network configuration, IP addressing, subnets, routing, and security groups. VPC segmentation is a primary network security control.
WAF (Web Application Firewall) A security appliance or service that monitors, filters, and blocks HTTP/HTTPS traffic to and from web applications, based on defined security rules. AWS WAF protects Simpaisa's public-facing APIs and web interfaces from OWASP Top 10 attacks, bot traffic, and DDoS.
Webhook A mechanism by which a server sends automated HTTP notifications to a client's pre-configured URL when a specified event occurs. Simpaisa uses webhooks to deliver real-time transaction status notifications (success, failure, pending) to merchant integrations without requiring polling.
A.4 Business Terms¶
BCP (Business Continuity Plan) A documented plan that defines the procedures and resources required to continue essential business operations during and after a disruptive event. The BCP encompasses personnel, technology, communications, and workarounds for critical processes. Maintained by the COO and tested annually.
DACI A decision-making framework similar to RASCI: Driver (who drives the process to completion), Approver (single accountable decision-maker), Contributors (provide input), Informed (notified of outcome). Used in some Simpaisa governance contexts interchangeably with RASCI.
DPA (Data Processing Agreement) A contractual agreement between a data controller and a data processor, setting out the terms under which personal data is processed. Required under GDPR, UK GDPR, and equivalent data protection laws. Simpaisa requires DPAs with all third-party vendors handling personal data.
DPIA (Data Protection Impact Assessment) A process to identify and mitigate privacy risks arising from new or changed data processing activities, particularly where processing is likely to result in a high risk to individuals' rights and freedoms. Required under UK GDPR and PDPA for high-risk data processing activities.
DR (Disaster Recovery) The subset of business continuity planning specifically concerned with restoring IT systems, infrastructure, and data following a major disruption. Simpaisa's DR plan is tested at least annually and defines RTO and RPO targets for each critical system.
ELT (Executive Leadership Team) The senior executive body of Simpaisa Group, comprising the CEO and all direct C-suite and equivalent reports. The ELT is accountable for strategy execution, resource allocation, and organisational performance.
ESOP (Employee Share Ownership Plan) A programme through which employees are granted options or shares in the company as part of their total compensation package. Simpaisa uses ESOPs as a retention and incentive mechanism for senior and technical talent across the group.
IDTA (International Data Transfer Agreement) The UK mechanism for lawfully transferring personal data to countries outside the UK that have not received an adequacy decision. Replaces the EU Standard Contractual Clauses for UK data transfers. Relevant to Simpaisa's UK entity (Commerce Plex) when transferring data to Pakistan, Bangladesh, Singapore, or UAE.
ISMS (Information Security Management System) A systematic approach - comprising policies, processes, procedures, controls, and technologies - for managing an organisation's information security risks. Simpaisa's ISMS is certified to ISO 27001 and owned by the CISO.
KPI (Key Performance Indicator) A quantifiable measure used to evaluate progress against a specific objective or target. Simpaisa uses KPIs across operations, technology, compliance, and commercial functions. KPI definitions, formulae, and targets are documented in Appendix G (KPI Dictionary).
MPSA (Master Payment Services Agreement) Simpaisa's primary commercial contract with merchant partners and institutional clients, governing the terms and conditions of payment services, including pricing, SLAs, liability, data protection, and dispute resolution. Supplemented by country-specific and product-specific addenda.
OKR (Objectives and Key Results) A goal-setting framework in which high-level objectives are defined alongside measurable key results that indicate progress. Used by Simpaisa at group, departmental, and individual levels for strategic planning and performance management.
RASCI A responsibility assignment matrix that classifies roles in a process as Responsible, Accountable, Supportive, Consulted, or Informed. The governing framework for all 15 core processes documented in Section 7 of this Operating Model. See Section 7.1 for full methodology.
SCC (Standard Contractual Clauses) Pre-approved contractual terms issued by the European Commission that provide a lawful basis for transferring personal data from the EEA to third countries. Relevant where Simpaisa entities in EEA-equivalent jurisdictions transfer data internationally.
SLA (Service Level Agreement) A formal commitment, typically between a service provider and a customer or partner, specifying the expected level of service performance - including uptime, response times, error rates, and settlement timelines. Simpaisa publishes SLAs with merchant partners for transaction success rates and settlement cycles.
TOM (Target Operating Model) A blueprint describing the desired future state of an organisation across strategy, governance, processes, people, technology, and data dimensions. Simpaisa's Operating Model is structured around the Deloitte TOM Framework as its organising spine.
APPENDIX B - ACRONYM INDEX¶
All acronyms used in the Simpaisa Group Operating Model are listed below in alphabetical order with their full expansions. Where an acronym has a specific regulatory or technical meaning, the context is indicated in parentheses.
| Acronym | Full Expansion |
|---|---|
| ABC | Anti-Bribery and Corruption |
| ALB | Application Load Balancer (AWS) |
| AML | Anti-Money Laundering |
| AoC | Attestation of Compliance (PCI DSS) |
| API | Application Programming Interface |
| ARC | Audit and Risk Committee |
| AWS | Amazon Web Services |
| BEFTN | Bangladesh Electronic Funds Transfer Network |
| BFIU | Bangladesh Financial Intelligence Unit |
| BCP | Business Continuity Plan |
| BD | Bangladesh |
| BDT | Bangladeshi Taka |
| BI | Business Intelligence |
| CAB | Change Advisory Board |
| CBUAE | Central Bank of the United Arab Emirates |
| CBI | Central Bank of Iraq |
| CDN | Content Delivery Network |
| CDD | Customer Due Diligence |
| CDE | Cardholder Data Environment |
| CDO | Chief Digital Officer |
| CEO | Chief Executive Officer |
| CFO | Chief Financial Officer |
| CFT | Counter-Financing of Terrorism |
| CI/CD | Continuous Integration / Continuous Deployment |
| CISO | Chief Information Security Officer |
| CH-BDNP | Country Head, Bangladesh and Nepal |
| CH-PK | Country Head, Pakistan |
| COO | Chief Operating Officer |
| CPF | Counter-Proliferation Financing |
| CPO | Chief Product Officer |
| CRC | Compliance and Regulatory Committee |
| CRO | Chief Revenue Officer |
| CSNO | Chief Strategy and Network Officer |
| CSNO | Chief Strategy and Network Officer |
| CTO | Chief Technology Officer |
| CVV | Card Verification Value |
| DACI | Driver, Approver, Contributors, Informed (decision framework) |
| DAST | Dynamic Application Security Testing |
| DCB | Direct Carrier Billing |
| DFSA | Dubai Financial Services Authority |
| DIFC | Dubai International Financial Centre |
| DDoS | Distributed Denial of Service |
| DPA | Data Processing Agreement |
| DPIA | Data Protection Impact Assessment |
| DR | Disaster Recovery |
| EDD | Enhanced Due Diligence |
| ELT | Executive Leadership Team |
| EMI | Electronic Money Institution |
| ERM | Enterprise Risk Management |
| ESOP | Employee Share Ownership Plan |
| EU | European Union |
| FATF | Financial Action Task Force |
| FCA | Financial Conduct Authority (UK) |
| FINTRAC | Financial Transactions and Reports Analysis Centre of Canada |
| FMU | Financial Monitoring Unit (Pakistan) |
| FMSB | Foreign Money Services Business (Canada) |
| FX | Foreign Exchange |
| GH-RA | Global Head of Regulatory Affairs |
| GDPR | General Data Protection Regulation |
| GTV | Gross Transaction Value |
| H-DevOps | Head of DevOps |
| H-Legal | Head of Legal |
| H-Sett | Head of Settlements |
| H-Treas | Head of Treasury |
| HMAC | Hash-Based Message Authentication Code |
| HMRC | His Majesty's Revenue and Customs (UK) |
| HR | Human Resources |
| IaC | Infrastructure as Code |
| IBFT | Inter-Bank Funds Transfer |
| IDTA | International Data Transfer Agreement |
| IFRS | International Financial Reporting Standards |
| Int.Lead | Integration Lead |
| IQD | Iraqi Dinar |
| ISMS | Information Security Management System |
| ISO | International Organisation for Standardisation |
| JV | Joint Venture |
| KPI | Key Performance Indicator |
| KRI | Key Risk Indicator |
| KYB | Know Your Business |
| KYC | Know Your Customer |
| MAS | Monetary Authority of Singapore |
| MDR | Merchant Discount Rate |
| MENA | Middle East and North Africa |
| MLRO | Money Laundering Reporting Officer |
| MPSA | Master Payment Services Agreement |
| MSB | Money Services Business |
| MTD | Maximum Tolerable Downtime |
| Multi-AZ | Multi-Availability Zone (AWS) |
| NLB | Network Load Balancer (AWS) |
| NOC | Network Operations Centre |
| NP | Nepal |
| NPR | Nepalese Rupee |
| NRB | Nepal Rastra Bank |
| NPSB | National Payment Switch Bangladesh |
| OFAC | Office of Foreign Assets Control (US Treasury) |
| OKR | Objectives and Key Results |
| OTC | Over-The-Counter |
| OWASP | Open Web Application Security Project |
| P&L | Profit and Loss |
| PAN | Primary Account Number |
| PCP | Payment Channel Partnerships |
| PCI DSS | Payment Card Industry Data Security Standard |
| PDPA | Personal Data Protection Act (Singapore) |
| PECA | Prevention of Electronic Crimes Act (Pakistan) |
| PEP | Politically Exposed Person |
| PK | Pakistan |
| PKR | Pakistani Rupee |
| PM | Product Manager |
| PMO | Project Management Office / PMO Manager |
| PRD | Product Requirements Document |
| PSO | Payment System Operator |
| PSP | Payment Service Provider |
| PwC | PricewaterhouseCoopers |
| QSA | Qualified Security Assessor |
| RASCI | Responsible, Accountable, Supportive, Consulted, Informed |
| REST | Representational State Transfer |
| RoC | Report on Compliance (PCI DSS) |
| RPO | Recovery Point Objective |
| RTO | Recovery Time Objective |
| SAD | Sensitive Authentication Data |
| SAMA | Saudi Central Bank (Saudi Arabia Monetary Authority) |
| SAR | Suspicious Activity Report |
| SAST | Static Application Security Testing |
| SBP | State Bank of Pakistan |
| SCC | Standard Contractual Clauses |
| SDD | Simplified Due Diligence |
| SDK | Software Development Kit |
| SECP | Securities and Exchange Commission of Pakistan |
| SEO | Senior Executive Officer (DFSA) |
| SIEM | Security Information and Event Management |
| SLA | Service Level Agreement |
| SOC | Security Operations Centre |
| SQA | Software Quality Assurance |
| SRE | Site Reliability Engineering |
| STR | Suspicious Transaction Report |
| TCP | Transmission Control Protocol |
| TLS | Transport Layer Security |
| TOM | Target Operating Model |
| UAT | User Acceptance Testing |
| UAE | United Arab Emirates |
| UDP | User Datagram Protocol |
| UK | United Kingdom |
| UN | United Nations |
| USDT | USD Tether (stablecoin) |
| VASP | Virtual Asset Service Provider |
| VPC | Virtual Private Cloud (AWS) |
| WAF | Web Application Firewall |
| WMD | Weapons of Mass Destruction |
| 1LINK | Pakistan's interbank network / 1LINK (Guarantee) Limited |
| 3DS | 3D Secure (card authentication protocol) |
| 3DS2 | EMV 3D Secure version 2 |
APPENDIX F - RASCI MATRIX MASTER FILE: PRINTABLE SUMMARY¶
This appendix provides a condensed single-page quick-reference summary of all 15 RASCI processes defined in Section 7. For each process, the table shows the Accountable role, the key Responsible and Consulted roles, and the number of discrete process steps. The full step-by-step matrices are contained in Sections 7.2 through 7.16.
How to read this table
- Accountable - The single role that is ultimately answerable for the outcome of the process. Only one Accountable role exists per process (though accountability may shift step-by-step within the process; the role listed is the most prevalent A or the A on the most senior step).
- Key Responsible Roles - The primary executing roles across the process. Not exhaustive of every R assignment; focuses on the roles that carry R designations most frequently.
- Key Consulted Roles - Roles with the most material C designations across process steps; those whose input substantively shapes decisions.
- Steps - The number of discrete process steps in the full RASCI matrix.
| # | Process Name | Accountable Role(s) | Key Responsible Roles | Key Consulted Roles | Steps |
|---|---|---|---|---|---|
| 7.2 | Merchant Onboarding (Pay-Ins and Pay-Outs) | CPO (go-live); COO (lead qualification, commercial terms, post-launch) | PM, Compliance Analyst, Sanctions Screening, PMO, SQA | CRO, CFO, GH-RA, Head of Legal, Head of Settlements | 8 |
| 7.3 | Payment Transaction Processing - Collections (Pay-Ins) | H-DevOps (real-time processing steps); CFO (settlement) | DevOps Lead, Head of Settlements, Head of Treasury | CTO, COO, CRO, Compliance Analyst | 7 |
| 7.4 | Payment Transaction Processing - Disbursements (Pay-Outs) | H-DevOps (processing); CISO (compliance screening); CFO (settlement) | DevOps Lead, Head of Treasury, Sanctions Screening, PCP | COO, CRO, CTO | 8 |
| 7.5 | Remittance Corridor Activation | CPO (demand assessment, go-live); GH-RA (regulatory scoping); Compliance Analyst (compliance setup); SQA (testing) | PM, GH-RA, CH-PK, CH-BDNP, PMO, Integration Lead | CEO, COO, CFO, CRO, Head of Legal, Head of Treasury | 8 |
| 7.6 | Crypto Off-Ramp Transaction Processing | H-DevOps (receipt, verification, disbursement, confirmation); CISO (AML/sanctions); CFO (FX); Head of Settlements (reconciliation) | DevOps Lead, Sanctions Screening, Compliance Analyst, Head of Treasury, Integration Lead | COO, CRO, CTO, GH-RA | 7 |
| 7.7 | White-Label Wallet Provisioning | CPO (client requirements, branding, go-live); CTO (technical setup); GH-RA (regulatory assessment); SQA (testing); COO (ongoing support) | PM, Integration Lead, Principal Architect, DevOps Lead | COO, CTO, CISO, CRO, GH-RA | 8 |
| 7.8 | KYC / KYB and Customer Due Diligence | Compliance Analyst (application, document collection, identity verification); CRO (risk scoring, EDD, approval, ongoing monitoring) | Compliance Analyst, Sanctions Screening | CISO, GH-RA, CH-PK, CH-BDNP, Head of Legal | 8 |
| 7.9 | Sanctions Screening and Transaction Monitoring | Sanctions Screening (automated screening, hit determination, false positive review); GH-RA (SAR/STR filing); Head of Legal (record keeping) | Sanctions Screening, Compliance Analyst | CRO, CISO, GH-RA, COO | 7 |
| 7.10 | Settlement and Reconciliation | Head of Settlements (reconciliation, breaks, exceptions); Head of Treasury (settlement calculation, payment execution); CFO (reporting) | Head of Settlements, Head of Treasury, PMO | CFO, COO, CRO, Compliance Analyst | 7 |
| 7.11 | Incident Management and Escalation | H-DevOps (classification, initial response); CTO (investigation, resolution, post-incident review, remediation); COO (stakeholder communication) | DevOps Lead, Principal Architect, Integration Lead, SQA, PM, PMO | CEO, CTO, CISO, CRO, Compliance Analyst | 8 |
| 7.12 | New Market Entry and Licence Application | CEO (market assessment, go-live); Head of Legal (entity incorporation); GH-RA (licence preparation, regulatory submission, compliance setup); COO (local hiring); CFO (banking relationships) | GH-RA, Head of Legal, Compliance Analyst, CH-PK, CH-BDNP, Integration Lead, PCP | COO, CFO, CRO, CISO, PMO | 9 |
| 7.13 | Product Development Lifecycle | CPO (discovery, PRD, UAT); CTO (architecture, development, deployment); PMO (sprint planning); SQA (QA testing); PM (post-launch monitoring) | PM, Integration Lead, DevOps Lead, H-DevOps, SQA | COO, CISO, CRO, GH-RA, Compliance Analyst | 9 |
| 7.14 | Financial Reporting and Audit | H-DevOps (transaction data capture); CFO (ledger posting, reconciliation, management accounts, statutory accounts, external audit); GH-RA (regulatory filings); CEO (board reporting) | Head of Treasury, Head of Settlements, Compliance Analyst, CH-PK, CH-BDNP, Head of Legal | COO, CRO, GH-RA, Head of Legal | 8 |
| 7.15 | Vendor and Partner Onboarding | PCP (vendor identification); CRO (due diligence); COO (commercial negotiation, go-live, performance monitoring); Head of Legal (legal agreement); CTO (technical integration); CISO (security assessment) | PM, PCP, Integration Lead, Principal Architect, SQA, PMO | COO, CFO, CTO, CISO, CRO | 8 |
| 7.16 | Technology Change Management (Releases) | PM (change request); PMO (impact assessment); Principal Architect (architecture review); SQA (QA/testing); CISO (security review); CTO (CAB approval); H-DevOps (deployment, post-deployment monitoring) | DevOps Lead, Integration Lead, H-DevOps, SQA, Compliance Analyst | CTO, CISO, CRO, COO | 9 |
Notes
-
Where a process has multiple Accountable roles listed above, accountability shifts between roles across different steps within that process. Section 7 governing rules require exactly one A per step. The table above reflects the most senior or most frequently recurring Accountable designation per process.
-
Role abbreviations used in the full matrices (Section 7) are defined in the role key tables embedded within each sub-section.
-
This summary table is intended as a navigation aid and quick reference for governance reviews, regulatory submissions, and onboarding materials. For operational use, always refer to the full step-level matrices in Section 7.
-
Process step counts reflect the matrices as drafted in Version 1.0. Any subsequent restructuring of process steps in Section 7 should be reflected in a corresponding update to this appendix.
Version: 1.0 | April 2026 | Document Owner: Chief Digital Officer | Review cycle: Annual or upon material change to Section 7