SIMPAISA GROUP - OPERATING MODEL¶
Part II, V: Board and Executive Governance | Regulatory Framework and Licencing | Compliance Programme¶
Version: 0.1 (Draft for Board Review)
Date: April 2026
Document Owner: Chief Digital Officer
Classification: Confidential - Board and Executive Distribution Only
Drafting Note. Governance structures across most of these areas are being established during Q2 2026. This document sets out what should exist - the recommended target state - consistent with the requirements of the DFSA Category 3D licence application, FINTRAC obligations in Canada, SBP requirements in Pakistan, Bangladesh Bank requirements, MAS expectations for the Singapore HoldCo, and FATF Recommendations. Items marked [TBC] require Board input or further regulatory/legal confirmation before they can be finalised.
SECTION 4: BOARD AND EXECUTIVE GOVERNANCE¶
4.1 Board of Directors¶
4.1.1 Composition¶
The Board of Simpaisa Holdings PTE. Limited (the "Board") provides oversight of the Group's strategy, risk appetite, financial performance, regulatory compliance, and governance standards across all nine entities and seven jurisdictions in which the Group operates.
Current Board Composition:
| Director | Role | Classification |
|---|---|---|
| Nadeem Hussain | Non-Executive Chairman | Non-Executive |
| Yassir Pasha | Chief Executive Officer | Executive |
| Bernhard Klemen | Non-Executive Director | Non-Executive |
| Blake Tan | Non-Executive Director | Non-Executive |
| Sebastian Reis | Non-Executive Director | Non-Executive |
Recommended Target Composition. For a regulated Group of this complexity - and in particular to satisfy the DFSA's governance requirements for a Category 3D Authorised Firm - the Board should include at least one formally designated Independent Non-Executive Director (INED). The DFSA expects that Authorised Firms of this type demonstrate that the Chair of the Audit and Risk Committee is independent of management. The Board should therefore take steps to appoint a minimum of one INED with demonstrable expertise in financial services regulation, payments, or financial crime compliance. [TBC - Board resolution required.]
Recommended target size: Five to seven directors, comprising one executive director (CEO), one non-executive Chairman, and three to five non-executive directors, of whom at least two should qualify as independent under applicable standards.
Independence criteria. A Non-Executive Director shall be classified as independent if they: have not been an employee of the Group within the preceding five years; have no material business relationship with the Group other than as a director; receive no performance-related remuneration from the Group; have no close family ties with any executive director or senior manager; do not represent a significant shareholder whose interests may conflict with those of the Group; and have not served on the Board for more than nine consecutive years without the Board explicitly determining that length of tenure has not compromised independence.
4.1.2 Roles and Responsibilities¶
Non-Executive Chairman (Nadeem Hussain) - Leads the Board and sets its agenda in conjunction with the CEO and Company Secretary. - Ensures the Board functions effectively, with appropriate balance between executive and non-executive directors. - Chairs Board meetings and the Annual General Meeting. - Acts as the primary conduit between the Board and the CEO on matters of strategic direction. - Represents the Board externally where required, including to regulators and major stakeholders.
Executive Director / CEO (Yassir Pasha) - Accountable to the Board for the overall management and performance of the Group. - Executes Board-approved strategy and reports progress against it at each Board meeting. - Presents the Group's financial results, risk position, compliance status, and material events to the Board. - Leads the Executive Leadership Team and is responsible for the appointment and performance of all direct reports.
Non-Executive Directors (Bernhard Klemen, Blake Tan, Sebastian Reis) - Provide independent oversight, challenge, and counsel to the executive management. - Serve on Board Committees as assigned, bringing relevant expertise to bear. - Bring external perspective on industry developments, regulatory trends, and market opportunities. - Review and approve material decisions referred to the Board, including those within the Delegation of Authority Matrix.
4.1.3 Meeting Cadence¶
The Board shall meet at minimum quarterly, with additional extraordinary meetings convened as required by significant events (material regulatory actions, significant transactions, material incidents, or urgent governance matters). The recommended cadence is:
| Meeting Type | Frequency | Format |
|---|---|---|
| Regular Board Meeting | Quarterly (minimum) | In person or hybrid |
| Strategy Away Day | Annually | In person |
| Annual General Meeting | Annually | As required by jurisdiction |
| Extraordinary Board Meeting | As required | Called with 5 business days' notice (minimum) |
Board papers shall be circulated to directors no fewer than five business days in advance of each meeting. The Company Secretary is responsible for preparation and distribution of papers, maintenance of accurate minutes, and tracking of action items to closure.
A quorum for a Board meeting shall be a majority of directors then in office. Board resolutions shall be passed by a simple majority of directors present and voting, save for reserved matters (as set out in the Board Charter) which require a unanimous or specified supermajority.
4.1.4 Board Charter - Summary¶
The Board Charter governs the functioning of the Board of Simpaisa Holdings PTE. Limited. [Full Board Charter to be drafted and adopted - TBC.] The Charter shall address, at minimum:
Matters Reserved for the Board: - Approval of Group strategy, annual operating plan, and budget. - Approval and amendment of the Group Risk Appetite Statement. - Approval of the annual and interim financial statements. - Approval of all acquisitions, disposals, joint ventures, and major investments exceeding the threshold set in the Delegation of Authority Matrix. - Approval of new market entry decisions requiring material capital deployment or licence applications. - Appointment and removal of executive directors, and approval of their remuneration. - Appointment of the external auditors. - Approval of Tier 1 Group Policies. - Approval of dividend declarations or capital distributions. - Approval of any material change to the Group's corporate structure, including intercompany arrangements. - Approval of the Group's DFSA application and all regulatory submissions of material significance.
Board Conduct: - Directors are expected to act in the best interests of the Group, exercise independent judgement, maintain confidentiality, and declare and manage conflicts of interest in accordance with the Conflicts of Interest Policy. [To be drafted - see Section 27.4.] - Directors shall be subject to the Group's Fit and Proper Policy. [To be drafted - see Section 27.4.] - A director unable to attend a meeting may submit written comments on agenda items in advance, but this does not constitute attendance for quorum purposes.
4.2 Board Committees¶
The Board has established four standing committees to discharge specific oversight responsibilities on its behalf. Each committee operates under formal Terms of Reference approved by the Board. Committees have authority to instruct management to provide information and to commission independent advice. They report to the Board at each quarterly Board meeting by way of a written committee report and verbal summary from the committee chair.
4.2.1 Audit and Risk Committee (ARC)¶
Purpose. The ARC provides independent oversight of the Group's financial reporting, internal controls, external and internal audit functions, enterprise risk management framework, and risk appetite. It serves as the primary forum for oversight of the Group's operational, financial, regulatory, and reputational risk exposures.
Recommended Composition: - Chair: Independent Non-Executive Director (INED) - [INED appointment required - TBC] - Members: Minimum two Non-Executive Directors - The CEO, CFO, CISO, and Group Head of Internal Audit shall attend as standing invitees; external auditors shall attend at minimum twice per year.
Terms of Reference:
Financial Reporting and External Audit - Review and recommend to the Board the approval of the annual Group financial statements, interim reports, and any formal announcements relating to financial performance. - Oversee the relationship with the external auditors (PwC Pakistan, PwC Singapore), including assessment of audit scope, findings, management letters, and auditor independence. - Recommend to the Board the appointment, reappointment, or removal of external auditors. - Monitor the non-audit services provided by external auditors and assess whether such services compromise auditor independence.
Internal Controls and Internal Audit - Review the adequacy and effectiveness of the Group's system of internal controls, including financial controls, compliance controls, and operational controls. - Approve the annual internal audit plan and ensure the internal audit function is adequately resourced and independent. [Internal audit function to be formally established - TBC.] - Review all internal audit reports and management's responses to findings; track remediation to closure. - Ensure that the Head of Internal Audit has direct access to the ARC Chair and can escalate concerns without executive management interference.
Risk Management - Review the Group's Enterprise Risk Management framework and the Group Risk Appetite Statement at least annually; recommend changes to the Board. - Review the Group's principal risk register and key risk indicators quarterly. - Receive and review reports on significant risk events, near-misses, and material operational incidents. - Oversee the Group's business continuity and disaster recovery planning and testing. - Review and oversee third-party and outsourcing risk management.
Meeting Cadence: Quarterly minimum; additionally as required for financial statement approval. Minutes and actions reported to the Board at each quarterly Board meeting.
4.2.2 Compliance and Regulatory Committee (CRC)¶
Purpose. The CRC provides Board-level oversight of the Group's compliance obligations across all jurisdictions, regulatory relationships, licence portfolio, financial crime risk management programme, and preparations for the DFSA Category 3D licence application.
Recommended Composition: - Chair: Non-Executive Director with relevant financial services regulatory or compliance experience - [TBC - to be confirmed upon INED appointment] - Members: Minimum two Non-Executive Directors - Standing invitees: CEO, CDO, Global Head of Regulatory Affairs (Shoukat Bizinjo), Group Chief Compliance Officer [CCO role to be established - TBC]
Terms of Reference:
Compliance Oversight - Review and recommend to the Board the approval of all Tier 1 Group Policies related to compliance, AML/CFT/CPF, sanctions, ABC, and data protection. - Receive and review quarterly compliance reports covering: regulatory developments, policy breaches, SAR/STR filings, sanctions screening findings, audit and examination outcomes, and remediation status. - Oversee the Group's AML/CFT/CPF programme, including the adequacy of controls across all jurisdictions. - Review and approve the Group's annual financial crime risk assessment.
Regulatory Affairs - Review the status of all Group licences and regulatory registrations on a quarterly basis. - Oversee the progress of licence applications and renewals, including the DFSA Cat 3D application, Pakistan EMI and PSO/PSP applications, Nepal PSO, Saudi Arabia Major PI, and Kazakhstan Payment Organisation. - Approve the regulatory engagement strategy and ensure appropriate escalation of material regulatory interactions. - Receive notification of any enforcement action, regulatory investigation, or material regulatory correspondence affecting any Group entity.
Governance and Culture - Review the Group's compliance training programme and culture indicators annually. - Review whistleblowing reports and outcomes [upon policy adoption - TBC]. - Oversee fit and proper assessments for approved persons and controlled functions across regulated entities.
Meeting Cadence: Quarterly minimum; additionally as required upon material regulatory event.
4.2.3 Remuneration and Nomination Committee (RemNom)¶
Purpose. The RemNom Committee oversees the Group's remuneration framework to ensure it is aligned with the Group's risk appetite, long-term strategy, and regulatory requirements; and oversees Board and senior executive composition, succession planning, and the assessment of director independence and fitness.
Recommended Composition: - Chair: Non-Executive Chairman or designated Non-Executive Director - [TBC] - Members: Minimum two Non-Executive Directors (excluding any executive directors for matters relating to executive remuneration) - Standing invitees: CEO (for non-CEO matters only), Group CHRO [CHRO role to be confirmed - TBC]
Terms of Reference:
Remuneration - Review and recommend to the Board the Group's Remuneration Policy [to be drafted - see Section 27.4], ensuring compliance with applicable regulatory requirements (including DFSA remuneration rules upon authorisation). - Review and approve the remuneration packages (base salary, variable pay, long-term incentives, and benefits) for the CEO and all direct reports to the CEO. - Ensure that variable remuneration structures do not create incentives that encourage excessive risk-taking or are misaligned with the Group's risk appetite. - Review remuneration for any Approved Person or Controlled Function holder under applicable regulatory frameworks.
Nomination and Succession - Lead the process for the appointment of new Board directors, including preparing a role specification, overseeing the search process, and recommending appointments to the Board for approval. - Review the skills, experience, and diversity composition of the Board annually; identify any gaps and recommend actions. - Oversee succession planning for the CEO and other executive directors. - Assess and confirm the independence of Non-Executive Directors annually. - Oversee the Group's Fit and Proper Policy and confirm that all directors and senior managers satisfy applicable fitness and propriety requirements.
Meeting Cadence: At minimum twice per year; additionally as required for specific appointments or remuneration matters.
4.2.4 Technology and Information Security Committee (TISCo)¶
Purpose. The TISCo provides Board-level oversight of the Group's technology strategy, information security posture, cybersecurity resilience, data governance, and compliance with ISO 27001 and PCI DSS obligations. It serves as the primary forum for non-executive challenge and oversight of the technology and digital agenda.
Recommended Composition: - Chair: Chief Digital Officer (Daniel O'Reilly) - [Recommended: CDO chairs as the executive accountable for Technology and Information Security; this is an executive-chaired committee reporting to the Board, appropriate given the Group's digital-first nature and the CDO's mandate] - Members: At minimum one Non-Executive Director; the Non-Executive Chairman may observe. - Standing invitees: CTO, CISO, CPO - External: Independent technical advisor may be engaged periodically - [TBC]
Terms of Reference:
Technology Strategy and Governance - Review and recommend to the Board approval of the Group's multi-year Technology Strategy and annual Technology Roadmap. - Oversee the CDO's delivery against the Technology Roadmap, including review of major milestones, material delays, and change requests to scope or budget. - Review and approve significant technology investments above the threshold in the Delegation of Authority Matrix. - Oversee the Group's software development lifecycle, quality assurance standards, and architecture governance.
Information Security and Cyber Resilience - Review the Group's Information Security Management System (ISMS) performance, including ISO 27001 audit outcomes and remediation plans. - Review the Group's PCI DSS compliance programme, including scope, audit findings, and remediation. - Receive quarterly reports from the CISO covering: threat landscape, SOC/NOC findings, material security incidents, penetration test results, vulnerability management status, and cloud security posture. - Oversee the Group's cyber incident response capability and review post-incident reports for material events. - Review and approve the Group's Security Architecture and material changes thereto.
Data Governance and Privacy - Oversee the Group's Data Governance Policy [to be drafted - see Section 27.4] and data protection compliance programme across all jurisdictions (PDPA Singapore, PECA Pakistan, Bangladesh ICT Act, Nepal Privacy Act, UK GDPR, UAE data protection law). - Review material data incidents or breaches.
Meeting Cadence: Quarterly minimum; additionally as required upon material security incident or technology programme decision.
4.3 Executive Leadership Team¶
4.3.1 Structure¶
The Executive Leadership Team (ELT) is the primary executive management forum of the Simpaisa Group. The current structure reflects the introduction of the Chief Digital Officer role effective April 2026, which creates a new executive layer between the CEO and the three digital-capability functions (Product, Information Security, and Technology).
Full ELT Reporting Structure:
Yassir Pasha - Chief Executive Officer
│
├── Daniel O'Reilly - Chief Digital Officer
│ ├── Rizwan Zafar - Chief Product Officer
│ ├── Danish Hamid - Chief Information Security Officer
│ └── Saqlain Raza - Chief Technology Officer
│
├── Kamil Shaikh - Chief Operating Officer
├── Bachir Njeim - Chief Strategy and Network Officer
├── Mohammad Mustafa - Global Chief Financial Officer
├── Shahroze Khan - Chief Revenue Officer
├── Noor Ali - Country Head Pakistan
├── Sanjana Farid - Country Head Bangladesh and Nepal
├── Ahsan Hussain - Payment Channel Partnerships
├── Shoukat Bizinjo - Global Head of Regulatory Affairs
└── [CFO / CRO / Country Head Pakistan as above, with future additions for Saudi Arabia, MENA Country Heads]
Note on CDO Mandate. The CDO role at Simpaisa is structurally broader than the conventional technology leadership brief. Daniel O'Reilly's portfolio spans Product, Information Security, and Technology - representing the Group's primary value-creation engine and its primary control infrastructure in the digital domain. The CDO reports directly to the CEO. This reflects the Board's determination that digital capability and security posture are existential strategic levers, not support functions.
4.3.2 ELT Charter¶
Purpose. The ELT is responsible for the executive management of the Group, translating Board-approved strategy into operational plans, allocating resources, managing performance, and ensuring that the Group's obligations - regulatory, contractual, financial, and to its people - are met.
Membership. All direct reports to the CEO, plus the CDO's direct reports (CPO, CISO, CTO) who participate as full ELT members in their functional capacity.
Decision-Making Authority. The ELT acts within the authority delegated to it by the Board, as set out in Section 4.4. Material decisions outside delegated authority are referred to the Board. The ELT operates by consensus where possible; where consensus cannot be reached, the CEO has casting authority, subject to Board reserved matters.
Accountability. Each ELT member is personally accountable for the performance of their function, the accuracy of information they present to the ELT and the Board, and the conduct of their teams. Where a matter spans multiple functions, the CEO designates a lead accountable owner.
Information obligations. ELT members are expected to share material information promptly with the full ELT and to ensure that no material event within their function is withheld from the CEO or the Board. This obligation applies regardless of whether the event is positive or adverse.
4.3.3 ELT Meeting Cadence¶
| Meeting Type | Frequency | Purpose |
|---|---|---|
| ELT Weekly Standup | Weekly | Performance, blockers, cross-functional alignment, escalations |
| ELT Monthly Business Review | Monthly | KPI performance, financial results, risk and compliance status, strategic initiatives |
| ELT Quarterly Strategy Session | Quarterly | Strategy progress, planning horizon, market developments, Board preparation |
| ELT Annual Planning Off-Site | Annually | Annual operating plan, budget, headcount, roadmap |
Weekly standups are held on Monday mornings (Dubai time) and are expected to be attended in person or via video by all ELT members. Absence should be the exception; ELT members who are travelling or on leave should arrange representation.
4.4 Delegation of Authority Matrix¶
The Delegation of Authority (DoA) Matrix sets out the approval authority for material decisions across the Group. It is designed to ensure that decisions are made at the appropriate level - sufficiently close to operational reality to be informed, yet sufficiently senior to carry appropriate accountability - and that the Board retains visibility of and authority over decisions with material strategic, financial, or regulatory consequence.
General principles: - All financial thresholds are expressed in USD and apply to the value of a single transaction, commitment, or decision. Cumulative commitments to the same counterparty or within the same category that would, in aggregate, breach a threshold require approval at the level applicable to the aggregate. - Where approval from multiple parties is indicated, all approvals must be obtained; no single approver may waive the requirement for another. - Urgent decisions made outside the normal approval chain due to time constraints must be ratified at the appropriate level at the earliest opportunity and documented in the decision log. - This matrix applies to Simpaisa Holdings PTE. Limited and all subsidiary entities. Entity-level boards may impose stricter thresholds for their own entities. - [Thresholds below are recommended starting positions. Board confirmation is required before formal adoption. TBC.]
Delegation of Authority Matrix¶
| Decision Category | Board | CEO | CDO | COO | CFO | Department Head |
|---|---|---|---|---|---|---|
| FINANCIAL COMMITMENTS | ||||||
| Capital expenditure | >USD 500K | USD 100K–500K | USD 50K–100K (tech/digital only) | - | USD 25K–100K | USD 10K–25K |
| Operating expenditure (single commitment) | >USD 500K | USD 100K–500K | USD 50K–100K (digital/tech scope) | - | USD 25K–100K | USD 10K–25K |
| Technology infrastructure investment | Noted | USD 100K–500K | USD 50K–100K | - | USD 25K–50K (with CDO notation) | Up to USD 25K |
| Inter-company loans or capital injections | All cases | - | - | - | - | - |
| Write-offs (bad debt, operational loss) | >USD 250K | USD 50K–250K | - | - | USD 25K–50K | USD 5K–25K |
| CONTRACTUAL SIGNING | ||||||
| Master Payment Services Agreements (MPSA) with merchants | - | All cases (or as delegated to CRO) | - | - | - | - |
| Technology vendor agreements | - | >USD 100K | USD 25K–100K | - | - | - |
| Banking and correspondent agreements | Board ratification for new correspondent relationships | All new bank accounts / correspondents | - | Routine renewals | Routine renewals | - |
| Regulatory submissions and licence applications | Board approval required | Execution authority | CDO co-signs for tech-related regulatory submissions | - | - | - |
| Group-level NDAs | - | - | CDO for tech/product scope | For operational scope | For commercial/financial scope | Up to departmental scope |
| HIRING AND PEOPLE | ||||||
| CEO appointment and removal | Board only | - | - | - | - | - |
| ELT appointments (direct CEO reports) | Board ratification | CEO proposes | - | - | - | - |
| CDO direct reports (CPO, CISO, CTO) | Board noted | CEO approval | CDO proposes | - | - | - |
| Senior management (VP / Head level) | - | Noted | CDO approves within digital functions | Approves for operations functions | Approves for finance functions | - |
| Manager level and below | - | - | Noted monthly | - | - | Department Head approves; HR process |
| Redundancies (individual) | - | ELT notification | - | Head of HR / relevant Function Head | - | - |
| Redundancies (collective, 5+ roles) | Board notification | CEO approval | - | - | - | - |
| TECHNOLOGY SPEND | ||||||
| New SaaS / software licences | - | >USD 100K annually | Up to USD 100K annually | - | - | - |
| Cloud infrastructure scaling (incremental monthly run rate change) | - | >USD 50K/month delta | Up to USD 50K/month delta | - | - | - |
| Security tooling and platforms | - | >USD 100K | Up to USD 100K | - | - | - |
| Emergency technology spend (incident response) | Post-event noted | >USD 100K | Up to USD 100K | - | - | - |
| REGULATORY FILINGS | ||||||
| New licence applications | Board approval required | CEO signs | CDO co-signs (technology/digital elements) | - | - | GH Regulatory Affairs leads |
| Regulatory reports (routine; e.g., FINTRAC, SBP, Bangladesh Bank) | - | Noted | - | - | - | GH Regulatory Affairs / local CO; Compliance Manager |
| Material regulatory disclosures (breaches, incidents) | Board notified same day | CEO signs off | CDO for technology-related incidents | - | - | GH Regulatory Affairs drafts |
| Response to regulatory examination / enforcement | Board notified | CEO approval | - | - | - | GH Regulatory Affairs leads |
| POLICY APPROVAL | ||||||
| Tier 1 Group Policies | Board approves | CEO recommends | CDO recommends (digital/security/product policies) | Function Head recommends | Function Head recommends | - |
| Tier 2 Entity Policies | Board noted | CEO noted | CDO noted (if digital scope) | Function Head approves | Function Head approves | Local CO/MLRO drafts |
| Tier 3 SOPs | - | - | - | - | - | Function Head approves |
| NEW MARKET ENTRY | ||||||
| Entry into a new jurisdiction requiring a licence | Board approval required | CEO proposes | CDO input (technology readiness, data governance) | Operational readiness | Financial model | GH Regulatory Affairs scoping |
| Entry into a new jurisdiction via partner (no new licence) | Board noted | CEO approves | CDO approves (integration) | COO approves (operations) | - | - |
| New product launch (existing jurisdictions) | Board noted | CEO approves | CDO approves | - | - | CPO leads |
| VENDOR SELECTION | ||||||
| Strategic vendors (core platform, payment rails, compliance tech) | Board noted | CEO approves for >USD 100K | CDO approves for technology/security vendors USD 25K–100K | - | - | Up to USD 25K |
| Standard vendor onboarding | - | - | - | Function Head approval + procurement process | - | - |
| INCIDENT ESCALATION | ||||||
| Critical security incident (P1) | Board notified within 24hrs | CEO notified immediately | CDO leads response | CISO / CTO operational | - | All functions engaged |
| Regulatory breach or reportable incident | Board notified within 24hrs | CEO notified immediately | CDO notified immediately (if tech-related) | GH Regulatory Affairs / CCO leads | - | - |
| Material operational failure (P1) | Board notified within 24hrs | CEO notified within 2hrs | CDO notified within 1hr | COO / Country Head Pakistan leads | - | - |
| Financial fraud / loss event | Board notified | CEO notified immediately | - | - | CFO leads | - |
4.5 Governance Calendar¶
The Governance Calendar sets out the annual cycle of Board and Committee meetings, regulatory filings, audit events, and licence renewal obligations. All dates are indicative and should be confirmed by the Company Secretary following formal Board adoption of this calendar. [TBC - specific dates to be confirmed.]
4.5.1 Board and Committee Meeting Calendar (Indicative Annual Cycle)¶
| Month | Event | Body | Purpose |
|---|---|---|---|
| January | Q4 Results Review (prior year) | ARC | Review Q4 financials; external audit status |
| January | ELT Annual Planning Off-Site | ELT | Annual operating plan, budget, headcount |
| February | Board Q1 Meeting | Board | Q4/full-year results; strategy; risk review |
| February | ARC Meeting | ARC | Full-year financial statements; external auditor report |
| February | CRC Meeting | CRC | Annual compliance report; policy reviews |
| February | RemNom Meeting | RemNom | Executive remuneration review; Board skills assessment |
| February | TISCo Meeting | TISCo | Annual technology review; security posture |
| March | Annual General Meeting | Board + Shareholders | Statutory AGM; auditors; dividends [TBC by jurisdiction] |
| March | Group Financial Crime Risk Assessment | ELT / Compliance | Annual FCRA refresh |
| April | ELT Quarterly Strategy Session | ELT | Q1 performance; Q2–Q3 outlook |
| May | Board Q2 Meeting | Board | Q1 results; mid-year strategic update |
| May | ARC Meeting | ARC | Q1 financials; internal audit report |
| May | CRC Meeting | CRC | Regulatory filings review; licence status |
| May | TISCo Meeting | TISCo | Technology roadmap progress; security quarterly |
| June | ISO 27001 Surveillance Audit | CISO / External | Annual ISO 27001 surveillance (or recertification cycle) |
| June | PCI DSS Assessment | CISO / QSA | Annual PCI DSS Report on Compliance / SAQ |
| July | ELT Quarterly Strategy Session | ELT | H1 performance; H2 planning |
| August | Board Q3 Meeting | Board | H1 results; growth markets update |
| August | ARC Meeting | ARC | H1 financials; risk register review |
| August | CRC Meeting | CRC | Financial crime risk assessment review |
| August | RemNom Meeting | RemNom | Mid-year performance; succession review |
| August | TISCo Meeting | TISCo | Security incidents review; cloud security posture |
| September | Group Policy Annual Review | Compliance / ELT | Tier 1 policy review cycle |
| October | ELT Annual Planning Off-Site | ELT | Following-year budget and planning |
| October | Internal Audit Plan for Next Year | ARC | Approve next-year internal audit plan |
| November | Board Q4 Meeting | Board | Q3 results; year-end planning; budget approval |
| November | ARC Meeting | ARC | Q3 financials; external auditor appointment/reappointment |
| November | CRC Meeting | CRC | Regulatory pipeline; 12-month licence renewal review |
| November | TISCo Meeting | TISCo | Technology and security year-end review |
| December | RemNom Meeting | RemNom | Year-end remuneration; Board evaluation |
| December | Board Wrap-Up / Strategy | Board | Annual board evaluation; strategy confirmation |
4.5.2 Regulatory Filing Calendar by Jurisdiction¶
| Jurisdiction | Entity | Obligation | Frequency | Approximate Deadline | Responsible Officer |
|---|---|---|---|---|---|
| Canada - FINTRAC | Simpaisa CA LTD | MSB Annual Report / Compliance Report | Annual | 31 March (following calendar year) | Simpaisa CA Compliance Officer |
| Canada - FINTRAC | Commerce Plex Limited | FMSB Annual Report / Compliance Report | Annual | 31 March | Commerce Plex Compliance Officer |
| Canada - FINTRAC | Both entities | Suspicious Transaction Reports (STRs) | Within 30 days of reasonable grounds | Rolling | Local Compliance Officers |
| Canada - FINTRAC | Both entities | Large Cash Transaction Reports (LCTRs) | Within 15 days | Rolling | Local Compliance Officers |
| Canada - FINTRAC | Both entities | Electronic Funds Transfer Reports | Within 5 days | Rolling | Local Compliance Officers |
| Pakistan - SBP | PublishEx Solutions | Schedule H Regulatory Reporting | Quarterly | As per SBP circulars | Country Head Pakistan / GH Regulatory Affairs |
| Pakistan - SBP | PublishEx Solutions | Annual Compliance Report | Annual | [TBC - confirm SBP deadline] | GH Regulatory Affairs |
| Pakistan - FMU | PublishEx Solutions | Suspicious Transaction Reports | Immediately / ASAP | Rolling | PublishEx MLRO |
| Bangladesh - Bangladesh Bank | Soft Tech / aamarPay | PSO Regulatory Reporting | Quarterly / Monthly | As per Bangladesh Bank guidelines | Country Head BD / Local CO |
| Bangladesh - BFIU | Soft Tech / aamarPay | Suspicious Transaction Reports (STRs) | As per BPSSR 2014 | Rolling | Country Head BD / Local CO |
| Nepal - NRB | Pay Nest PVT LTD | PSP / Partnership Reporting | As per NRB requirements | [TBC - confirm NRB requirements] | Country Head BD&NP |
| Singapore - MAS | Simpaisa Holdings PTE. Limited | MAS Regulatory Returns | Annual / as required | [TBC] | Group CCO / Singapore Company Secretary |
| UAE - DFSA | Simpaisa Technologies LTD | Application Progress Reporting | As required during application | Per DFSA directions | GH Regulatory Affairs / CDO |
| UK - HMRC | Commerce Plex Limited | MSB Registration Renewal | As required | [TBC] | Commerce Plex Compliance Officer |
| Iraq - CBI | Branch Office | Local regulatory reporting | As required | [TBC] | GH Regulatory Affairs |
4.5.3 Audit Cycle¶
| Audit | Frequency | Approximate Timing | Owner |
|---|---|---|---|
| External Audit - Singapore HoldCo (PwC Singapore) | Annual | October–February | Global CFO |
| External Audit - Pakistan / PublishEx (PwC Pakistan) | Annual | October–February | Global CFO |
| Internal Audit - Group (to be established) | Annual plan; quarterly reports | Continuous | Head of Internal Audit [TBC] |
| ISO 27001 Internal Audit | Annual | July | CISO |
| ISO 27001 External Surveillance / Recertification | Annual / triennial | June | CISO |
| PCI DSS QSA Assessment | Annual | June | CISO |
| Regulatory Examinations (FINTRAC) | Variable | Typically 2–5 years | Local Compliance Officers |
| Group Financial Crime Risk Assessment | Annual | March | Group CCO / GH Regulatory Affairs |
SECTION 11: REGULATORY FRAMEWORK AND LICENCING¶
11.1 Licencing Map by Jurisdiction¶
The table below sets out the full licencing position for the Simpaisa Group across all active and target jurisdictions. It expands on the skeleton table to include licence conditions (where known), renewal dates (where applicable), responsible officers, and current status.
11.1.1 Active and In-Progress Licences¶
| Jurisdiction | Entity | Licence / Registration | Regulator | Key Conditions | Renewal / Expiry | Responsible Officer | Status |
|---|---|---|---|---|---|---|---|
| Canada | Simpaisa CA LTD | Money Services Business (MSB) - FINTRAC Registration | FINTRAC | AML/CFT programme; LCTR/STR reporting; record-keeping 5 years; agent registration | Ongoing registration; annual compliance report | Simpaisa CA Compliance Officer | Active |
| Canada | Commerce Plex Limited | Foreign Money Services Business (FMSB) - FINTRAC Registration | FINTRAC | Same as MSB; applies to services to Canadian customers from outside Canada | Ongoing registration | Commerce Plex Compliance Officer | Active |
| Pakistan | PublishEx Solutions PVT Limited | SBP Schedule H (Branchless Banking Aggregator via UBL/1LINK); Branchless Banking Agency | State Bank of Pakistan (SBP) | Maintain BB agency network; SBP reporting; AML/CFT programme; FMU reporting; capital requirements [TBC - confirm SBP capital thresholds] | [TBC - confirm renewal dates] | GH Regulatory Affairs (Shoukat Bizinjo) / Country Head Pakistan (Noor Ali) | Active |
| Bangladesh | Soft Tech Innovation PVT LTD / aamarPay | Payment Service Operator (PSO) Licence | Bangladesh Bank | PSO operating conditions; BFIU reporting; BPSSR 2014 compliance; local director requirements | [TBC - confirm renewal date] | Country Head BD (Sanjana Farid) / GH Regulatory Affairs | Active |
| Nepal | Pay Nest PVT LTD | PSP Partnership / Integration (via licensed PSPs) | Nepal Rastra Bank (NRB) | Operating through licensed PSP partners (Khalti, e-Sewa, IME Pay, Paywell); own PSO licence application planned | N/A (partnership model) | Country Head BD&NP (Sanjana Farid) | Active (partnership) / Application planned |
| Iraq | Simpaisa Holdings PTE. LTD (Branch Office) | Local partner arrangement; branch registration | Central Bank of Iraq (CBI) | Operating through local licensed partner; branch-level compliance obligations; heightened sanctions controls | [TBC] | GH Regulatory Affairs | Active (limited) |
| UAE | Simpaisa Technologies LTD | Commercial Licence (current); DFSA Category 3D Authorised Firm (in application) | DFSA; CBUAE | DFSA Cat 3D: Non-exec Chair required; UAE-resident SEO; MLRO; Compliance Officer; minimum capital USD 300K–500K; operational resilience requirements; FATF compliance | Application in progress [TBC - target date] | GH Regulatory Affairs / CDO | In Application |
| Singapore | Simpaisa Holdings PTE. Limited | HoldCo under MAS framework; [confirm MAS regulatory classification - TBC] | Monetary Authority of Singapore (MAS) | Standard MAS corporate governance and AML/CFT requirements for HoldCo | [TBC] | Group CCO / Singapore Company Secretary | Active (HoldCo) |
| UK | Commerce Plex Limited | HMRC Money Service Business Registration | HMRC; FCA (for regulated activities if applicable) | MSB registration maintained; AML/CFT obligations under MLRO; HMRC registration | Ongoing | Commerce Plex Compliance Officer | Active |
11.1.2 Target Licences - Acquisition Roadmap¶
See Section 11.4 for the full roadmap. Summary:
| Jurisdiction | Entity | Licence Target | Regulator | Status |
|---|---|---|---|---|
| Pakistan | PublishEx / Target entity | Electronic Money Institution (EMI) | SBP | In negotiation (33.3% stake in licenced entity) |
| Pakistan | PublishEx | PSO / PSP Own Licence | SBP | Application planning phase |
| UAE / DIFC | Simpaisa Technologies | DFSA Category 3D | DFSA | Application in progress |
| Nepal | Pay Nest PVT LTD | Payment Service Operator (PSO) | NRB | M&A target identified; [TBC] |
| Saudi Arabia | New entity (to be determined) | Major Payment Institution (Major PI) | SAMA | Post-partnership phase; target [TBC] |
| Kazakhstan | New entity (to be determined) | Payment Organisation | NBRK / AFSA | Regulatory scoping phase; target [TBC] |
11.2 Regulatory Engagement Strategy¶
11.2.1 Philosophy and Approach¶
Simpaisa's regulatory strategy is rooted in a principle of proactive, relationship-based engagement with regulators across all jurisdictions. Rather than treating regulators as gatekeepers to be managed reactively at reporting deadlines, the Group seeks to build substantive, trust-based relationships with key regulatory counterparts - relationships characterised by transparency, prompt disclosure of material events, and demonstrated commitment to the intent as well as the letter of applicable requirements.
This approach is particularly important given Simpaisa's operational footprint in frontier and emerging markets - Pakistan, Bangladesh, Nepal, Iraq - where regulatory relationships are more interpersonal, regulatory capacity may be more limited, and the quality of the firm's engagement with the regulator directly affects the speed and outcome of licence applications, reporting obligations, and examination processes.
The Global Head of Regulatory Affairs (Shoukat Bizinjo) is the Group's primary regulatory relationship owner. His team's mandate is to maintain active, current, and appropriately senior engagement with each of the Group's regulatory counterparts, to anticipate regulatory developments, and to position Simpaisa as a credible and cooperative regulated entity in each jurisdiction.
11.2.2 Key Regulatory Relationships¶
| Regulator | Jurisdiction | Primary Simpaisa Contact | Engagement Approach |
|---|---|---|---|
| FINTRAC | Canada | Local Compliance Officers; GH Regulatory Affairs oversight | Annual reporting; proactive disclosure of programme changes; examination readiness |
| State Bank of Pakistan (SBP) | Pakistan | GH Regulatory Affairs (Shoukat Bizinjo - ex-SBP 25 years); Country Head Pakistan (Noor Ali) | High-frequency, senior-level engagement leveraging GH Regulatory's SBP institutional knowledge; early engagement on EMI and PSO applications |
| Bangladesh Bank / BFIU | Bangladesh | Country Head BD (Sanjana Farid); GH Regulatory Affairs | Regular engagement via Country Head; local compliance representation; BFIU STR coordination |
| Nepal Rastra Bank (NRB) | Nepal | Country Head BD&NP (Sanjana Farid); GH Regulatory Affairs | Partnership model engagement; direct NRB engagement as PSO application progresses |
| DFSA | UAE / DIFC | GH Regulatory Affairs; CDO; CEO | Formal application process; Regulatory Business Plan submission; CEO and CDO engage at senior DFSA level; use of external legal counsel for application management |
| MAS | Singapore | Group CCO; Singapore Company Secretary | Annual returns; material change notifications; proactive engagement on group regulatory structure |
| HMRC / FCA | UK | Commerce Plex Compliance Officer; GH Regulatory Affairs | Registration maintenance; annual MSB compliance report |
| Central Bank of Iraq (CBI) | Iraq | GH Regulatory Affairs; local partner | Engagement managed via local licensed partner; heightened sanctions compliance oversight |
| SAMA | Saudi Arabia | GH Regulatory Affairs; CEO | Pre-application engagement as market entry progresses through partnership phase |
| NBRK / AFSA | Kazakhstan | GH Regulatory Affairs | Early-stage regulatory scoping; market intelligence |
11.2.3 Proactive Engagement Principles¶
Regulatory horizon scanning. The GH Regulatory Affairs team maintains an active regulatory horizon scanning function, monitoring proposed rule changes, guidance updates, enforcement actions against peers, and policy consultations in all Group jurisdictions. Developments of potential Group significance are reported to the CRC quarterly and to the ELT on an ad hoc basis where immediate action is required.
Regulatory filing quality. All regulatory filings - reports, licence applications, responses to regulatory queries - are prepared to a standard of accuracy, completeness, and professional presentation consistent with the Group's reputation as a serious, regulated financial services participant. Filings are reviewed by the GH Regulatory Affairs before submission and, for material submissions, by the CDO and CEO.
Proactive disclosure. Where a material event occurs within any Group entity that falls within a regulatory reporting obligation - or where the Group has doubt about whether such an obligation applies - the default position is to disclose proactively to the relevant regulator rather than to withhold. The GH Regulatory Affairs and Group CCO are jointly responsible for making this determination, with the CEO involved for all material disclosures. Legal counsel is engaged where disclosure obligations are unclear.
Pre-application engagement. For all new licence applications, the GH Regulatory Affairs team seeks pre-application meetings with the relevant regulator prior to formal submission wherever this is permitted. Such meetings allow the Group to understand regulatory expectations, signal its commitment to compliance, and identify potential issues in advance, reducing the risk of formal objections or delays during the application process.
Examination readiness. Each regulated entity maintains a state of continuous examination readiness, with up-to-date policies and procedures, trained staff, complete and accessible records, and documented evidence of AML/CFT programme effectiveness. GH Regulatory Affairs conducts annual examination readiness reviews for each regulated entity.
11.3 Licence Application and Market Entry Process¶
The following 10-step playbook governs Simpaisa's approach to all new licence applications and market entry decisions. It applies to own-licence applications, M&A-based licence acquisition, and market entry via licensed partnership where regulatory approval is required. The playbook is owned by the GH Regulatory Affairs and the CDO.
Step 1 - Market Identification and Initial Screening¶
Trigger: Market opportunity identified by CSNO, CRO, CEO, or Country Head; or inbound partner enquiry suggesting market potential.
Activities: - Initial market sizing and commercial opportunity assessment by CSNO/CRO. - High-level regulatory landscape review by GH Regulatory Affairs: what licence types exist, which regulator is responsible, what is the current regulatory stance towards fintech/payments, and are foreign entities permitted to hold licences? - Preliminary sanctions and geopolitical risk assessment. - Board notification at next quarterly meeting if strategic significance warrants.
Output: Market screening summary (1–2 pages). Decision: proceed to feasibility or park.
Step 2 - Regulatory Feasibility Study¶
Activities: - GH Regulatory Affairs commissions detailed regulatory analysis (internal or via local legal counsel). - Identify all applicable licence types; assess which is optimal for Simpaisa's intended product set. - Map capital requirements, ownership restrictions (local vs. foreign ownership), fit and proper requirements for directors/management, technology and operational requirements, AML/CFT programme standards. - Identify any pre-application registration or notification requirements. - Assess regulatory timeline: how long does the application typically take? Are there precedents from comparable applicants?
Output: Regulatory feasibility report. Decision gate: proceed to business case or not viable.
Step 3 - Business Case Development¶
Activities: - CFO and CSNO develop full financial model: market size, addressable volume, revenue projections (3-year), capital deployment required (licence capital + operational runway), breakeven timeline. - COO develops operational model: headcount required, local entity structure, local banking requirements, technology integration scope. - CDO assesses technology readiness: does the current platform support the target market? What incremental development is required? Estimated build timeline and cost. - Legal counsel reviews corporate structure implications: is a new entity required? What are the tax implications? Are there transfer pricing considerations? - Risk assessment: country risk, regulatory risk, financial risk, operational risk.
Output: Business case document. Decision gate: ELT approval; Board approval if capital requirement or strategic significance triggers Board threshold.
Step 4 - Application Strategy and Regulatory Pre-Engagement¶
Activities: - GH Regulatory Affairs requests pre-application meeting with regulator (where permitted). - Appoint local legal counsel and, where required, a local Compliance Officer or MLRO. - Prepare preliminary regulatory business plan summarising Simpaisa's business model, ownership structure, proposed products, AML/CFT approach, and governance. - Identify all controlled function holders / approved persons required and assess their fitness and propriety. - If acquiring a licensed entity (M&A route): commission regulatory due diligence; assess licence conditions; assess transfer of licence implications.
Output: Application strategy paper; local counsel appointment; preliminary regulatory business plan.
Step 5 - Entity and Governance Preparation¶
Activities: - Incorporate local legal entity (or identify acquisition target) with appropriate share capital. - Appoint local directors, MLRO, and Compliance Officer as required by the regulator. - Draft local AML/CFT/CFP policy and procedures (Tier 2 entity policies) consistent with Group framework. - Establish local bank account(s) to demonstrate banking relationships and seed capital. - Ensure intercompany agreements are in place between HoldCo and the new entity. - Register entity for local tax and corporate obligations.
Output: Incorporated entity; appointed officers; local policies; bank account; intercompany agreements.
Step 6 - Application Preparation¶
Activities: - GH Regulatory Affairs leads preparation of all application materials in close collaboration with local counsel, the local MLRO/CO, the CDO (technology and data governance sections), the CFO (financial projections and capital), and the COO (operations). - Materials typically include: application form; regulatory business plan; AML/CFT programme; technology and security description; operational resilience plan; financial projections; governance documentation (board composition, CVs and fitness documents for all proposed approved persons); ownership structure and source of funds for capital. - Internal review: GH Regulatory Affairs reviews full application; CDO reviews technology/security sections; CEO signs off; Board approves if required by DoA.
Output: Complete, board-approved licence application pack.
Step 7 - Application Submission and Regulatory Dialogue¶
Activities: - Submit application to regulator with all required supporting materials and applicable fees. - GH Regulatory Affairs maintains a regulatory dialogue tracker: logging all regulatory queries, responses, and meetings during the application review period. - Respond promptly and completely to all regulatory requests for additional information. - Maintain ongoing availability of approved persons for potential regulatory interviews. - Escalate any indications of regulatory concern immediately to the CEO and CRC.
Output: Submitted application; active regulatory dialogue.
Step 8 - Pre-Launch Operational Build¶
Activities (run in parallel with Step 7 to minimise time-to-market post-approval): - Technology integration for the new market: payment rail integrations, compliance system configuration (Eastnets sanctions screening for new entity/corridors), reporting infrastructure. - Recruit in-market operational team under Country Head (or prepare to onboard under existing Country Head where remit is being expanded). - Establish AML/CFT monitoring parameters for the new market. - Prepare merchant/partner onboarding documentation and KYB/KYC procedures for the new jurisdiction. - Business Continuity Plan for the new entity. - Staff training on local regulatory requirements.
Output: Operational readiness for launch; compliance system configured; team in place.
Step 9 - Licence Receipt and Conditions Assessment¶
Activities: - Upon receipt of licence, GH Regulatory Affairs conducts a full review of all licence conditions; prepares a conditions register. - Each condition is assigned an owner, a compliance status, and a monitoring obligation. - Where conditions impose obligations not yet reflected in operational procedures, SOPs are updated. - Confirm capital injection into licensed entity to meet required minimum. - GH Regulatory Affairs issues a "licence conditions briefing" to ELT and the CRC. - Board noted of licence receipt; entity added to Group licence register.
Output: Conditions register; updated SOPs; Board notification.
Step 10 - Go-Live and Steady-State Regulatory Compliance¶
Activities: - Soft launch (limited volume, controlled merchant base) before full commercial launch to validate compliance controls in live environment. - First regulatory filing submitted within applicable deadline. - Post-launch review at 30 days and 90 days: are all compliance obligations being met? Are transaction monitoring alerts at expected levels? Are operational processes working as designed? - Annual examination readiness review scheduled. - GH Regulatory Affairs establishes regular reporting cycle to CRC.
Output: Live, regulated entity; first regulatory filings; steady-state compliance programme.
11.4 Licence Acquisition Roadmap¶
11.4.1 Pakistan - Electronic Money Institution (EMI)¶
| Attribute | Detail |
|---|---|
| Entity | PublishEx Solutions PVT Limited (or new HoldCo acquisition vehicle) |
| Jurisdiction | Pakistan |
| Licence Type | EMI Licence - SBP Electronic Money Institutions Regulations 2019 |
| Regulator | State Bank of Pakistan (SBP) |
| Route | Acquisition of 33.3% stake in existing licenced EMI player |
| Status | In negotiation |
| Timeline | [TBC - dependent on counterparty negotiation and SBP change of control approval] |
| Capital Requirements | Minimum PKR 200 million paid-up capital (approx. USD 700K at current rate) for full EMI licence [TBC - confirm current SBP threshold] |
| Key Milestones | (1) Conclude negotiations and term sheet; (2) Regulatory due diligence on target; (3) SBP change of control notification/approval; (4) Completion of share transfer; (5) Integration of EMI licence into Group operating model |
| Strategic Rationale | EMI licence unlocks white-label wallet issuance in Pakistan, enabling e-money accounts, stored value, and domestic wallet infrastructure - significantly expanding the product suite beyond the current Schedule H aggregator model. |
| Responsible Officer | GH Regulatory Affairs (Shoukat Bizinjo); CDO (Daniel O'Reilly) for technology integration |
11.4.2 Pakistan - Own PSO/PSP Licence¶
| Attribute | Detail |
|---|---|
| Entity | PublishEx Solutions PVT Limited |
| Jurisdiction | Pakistan |
| Licence Type | Payment System Operator (PSO) / Payment Service Provider (PSP) Licence |
| Regulator | State Bank of Pakistan (SBP) |
| Route | Own licence application |
| Status | Application planning phase |
| Timeline | [TBC - SBP PSO/PSP application timeline typically 6–12 months] |
| Capital Requirements | PSO: PKR 200 million minimum net equity; PSP: PKR 100 million minimum net equity [TBC - confirm current SBP thresholds] |
| Key Milestones | (1) Regulatory scoping with SBP (leverage GH Regulatory's SBP relationships); (2) Business case Board approval; (3) Application preparation; (4) SBP submission; (5) Regulatory dialogue; (6) Licence receipt |
| Strategic Rationale | Own PSO/PSP licence removes dependency on third-party aggregator relationships and grants Simpaisa direct settlement relationships with the SBP payment infrastructure, improving margins and control over Pakistan payment rails. |
| Responsible Officer | GH Regulatory Affairs; Country Head Pakistan (Noor Ali) |
11.4.3 UAE / DIFC - DFSA Category 3D Authorised Firm¶
| Attribute | Detail |
|---|---|
| Entity | Simpaisa Technologies LTD |
| Jurisdiction | UAE (DIFC) |
| Licence Type | DFSA Category 3D - Providing Money Services (Arranging/Transmitting Money) |
| Regulator | Dubai Financial Services Authority (DFSA) |
| Route | Own licence application |
| Status | Application in progress |
| Timeline | [TBC - DFSA applications typically 6–18 months depending on complexity and completeness] |
| Capital Requirements | USD 300,000–500,000 minimum regulatory capital (to be confirmed at application assessment) |
| Key Governance Requirements | Non-Executive Chair; UAE-resident Senior Executive Officer (SEO); Money Laundering Reporting Officer (MLRO) appointed and approved; Compliance Officer; Finance Officer |
| Key Milestones | (1) Pre-application DFSA meeting (completed/in progress [TBC]); (2) Regulatory Business Plan approved by Board; (3) Appointment of SEO, MLRO, CO; (4) Formal application submission; (5) DFSA assessment and information requests; (6) DFSA approval in principle; (7) Capital injection; (8) Full DFSA authorisation; (9) Go-live |
| Strategic Rationale | DFSA authorisation creates Simpaisa's MENA hub - enabling regulated payment services, remittance, and potentially crypto off-ramping from the DIFC; enhancing credibility with MENA clients and correspondent banks; and anchoring the management function (Dubai DIFC) within a regulated perimeter. |
| Responsible Officer | GH Regulatory Affairs; CDO; CEO |
11.4.4 Nepal - Payment Service Operator (PSO) Licence¶
| Attribute | Detail |
|---|---|
| Entity | Pay Nest PVT LTD |
| Jurisdiction | Nepal |
| Licence Type | Payment Service Operator (PSO) - Nepal Rastra Bank |
| Regulator | Nepal Rastra Bank (NRB) |
| Route | M&A - acquisition of, or merger with, NRB-licensed PSO entity; alternatively, own licence application |
| Status | M&A target identified [TBC - due diligence status] |
| Timeline | [TBC] |
| Capital Requirements | NPR 150 million minimum paid-up capital for PSO; NPR 250 million for PSP [TBC - confirm current NRB thresholds] |
| Key Milestones | (1) M&A target due diligence; (2) NRB regulatory approval for change of control or new application; (3) Capital injection; (4) Integration into Group operating model; (5) Go-live under own licence |
| Strategic Rationale | Own PSO licence in Nepal replaces the current partnership model with direct regulatory standing, enabling independent product expansion and improving commercial position with Nepalese PSPs and banks. |
| Responsible Officer | GH Regulatory Affairs; Country Head BD&NP (Sanjana Farid) |
11.4.5 Saudi Arabia - Major Payment Institution (Major PI)¶
| Attribute | Detail |
|---|---|
| Entity | New entity to be determined (likely JV or local subsidiary) |
| Jurisdiction | Saudi Arabia |
| Licence Type | Major Payment Institution (Major PI) - Saudi Payments / SAMA |
| Regulator | Saudi Central Bank (SAMA) / Saudi Payments |
| Route | Phase 1: Aggregator via local processor; Phase 2: JV with local partner; Phase 3: Own Major PI licence |
| Status | Phase 1 target Q2 2026; Major PI application in post-partnership phase |
| Timeline | Phase 1: Q2 2026; Phase 2: [TBC]; Phase 3 (own licence): [TBC - SAMA Major PI process timeline typically 12–24 months] |
| Capital Requirements | [TBC - SAMA Major PI minimum capital requirements to be confirmed with SAMA/local counsel] |
| Key Milestones | Phase 1: Local processor partnership agreement; Phase 2: JV structure agreed with candidate partner (D360 Bank, MBC Group, Mawarid under consideration [TBC]); Phase 3: SAMA pre-application engagement; formal application; approval |
| Strategic Rationale | Saudi Arabia is Simpaisa's highest-priority expansion market, representing the largest inbound remittance corridor for South Asia globally. A direct SAMA licence creates the infrastructure for the Saudi-Pakistan, Saudi-Bangladesh, and Saudi-Nepal corridors. |
| Responsible Officer | GH Regulatory Affairs; CEO; CSNO (Bachir Njeim) |
11.4.6 Kazakhstan - Payment Organisation¶
| Attribute | Detail |
|---|---|
| Entity | New entity to be incorporated |
| Jurisdiction | Kazakhstan |
| Licence Type | Payment Organisation - National Bank of Kazakhstan (NBRK) or Astana International Financial Centre (AIFC) |
| Regulator | NBRK / AFSA (AIFC Financial Services Authority) |
| Route | Own licence application; AIFC route under consideration given common law framework and DFSA-aligned regulation |
| Status | Regulatory scoping phase |
| Timeline | Target Q1 2026 initial market entry; own licence [TBC] |
| Capital Requirements | [TBC - confirm NBRK/AIFC payment organisation capital requirements] |
| Key Milestones | (1) Regulatory scoping (NBRK vs. AIFC route decision); (2) Local entity incorporation; (3) Application preparation; (4) Submission; (5) Approval; (6) Go-live |
| Strategic Rationale | Kazakhstan is a significant diaspora and migrant worker remittance market with high volumes from Russia and UAE; the AIFC framework is commercially attractive given its DFSA-aligned regulatory approach. |
| Responsible Officer | GH Regulatory Affairs |
SECTION 12: COMPLIANCE PROGRAMME¶
12.1 Group Compliance Framework - Three Lines of Defence¶
12.1.1 Framework Overview¶
The Simpaisa Group Compliance Programme is structured around the Three Lines of Defence (3LoD) model, consistent with FATF Recommendations, Basel Committee guidance on corporate governance, and the requirements of the Group's key regulators (FINTRAC, SBP, Bangladesh Bank, NRB, DFSA, MAS). The 3LoD model allocates accountability for risk and compliance management across three distinct levels, ensuring that no single party bears exclusive responsibility and that multiple, independent layers of assurance operate simultaneously.
This structure is intentional: the Group operates across nine entities, seven jurisdictions, and multiple regulatory regimes simultaneously. A single centralised compliance function without embedded first-line ownership would be both operationally impractical and unacceptable to regulators. Equally, a purely decentralised model - where each entity manages compliance independently - would create unacceptable inconsistency in standards and Group-level blind spots. The 3LoD model resolves this tension.
12.1.2 First Line of Defence - Business Ownership¶
Composition: All business units, operations teams, technology teams, product teams, and Country Head organisations.
Principle: The first line is the origin of risk. Every employee who executes a transaction, onboards a customer, builds a product feature, or manages a payment rail is a participant in the first line. First-line teams own the risks they create and are responsible for operating within the policies, procedures, and controls established by the compliance function and approved by the Board.
Responsibilities: - Implement and adhere to all Group policies, entity-level policies, and standard operating procedures. - Complete all required AML/CFT, sanctions, and conduct training within required timeframes. - Execute KYC/KYB and Customer Due Diligence (CDD) for their customer relationships, escalating to the compliance function where enhanced due diligence or unusual activity is identified. - Report suspicious activity, potential breaches, and near-misses to the MLRO or local Compliance Officer without delay. - Embed compliance considerations into new product design, new channel integrations, and new market entry planning from the outset (compliance by design). - Country Heads are accountable for first-line compliance in their respective jurisdictions and are expected to maintain active oversight of their teams' compliance performance.
Key control owners in the first line: - Country Head Pakistan (Noor Ali) - Pakistan operations - Country Head BD&NP (Sanjana Farid) - Bangladesh and Nepal operations - CPO (Rizwan Zafar) - product design and feature development - CTO (Saqlain Raza) - technology build and change management - Payment Channel Partnerships (Ahsan Hussain) - partner and correspondent onboarding
12.1.3 Second Line of Defence - Compliance and Risk Functions¶
Composition: Group Chief Compliance Officer [to be appointed - TBC], local MLROs/Compliance Officers, Global Head of Regulatory Affairs, Group Risk function [CRO/Risk function to be formally structured - TBC].
Principle: The second line sets standards, monitors compliance with those standards, provides guidance and challenge to the first line, and reports compliance status to the Board and regulators. The second line does not own business risk - it oversees it.
Responsibilities: - Draft, maintain, and update all Tier 1 Group Policies and review Tier 2 entity policies for consistency with Group standards. - Design and maintain the Group AML/CFT/CPF programme, sanctions programme, KYC/KYB standards, and transaction monitoring framework. - Review and approve customer risk classifications for high-risk and PEP-related relationships. - Conduct the annual Group Financial Crime Risk Assessment. - Review transaction monitoring alerts and conduct investigations as required. - Prepare and submit all SAR/STR filings to relevant financial intelligence units. - Maintain the Group's regulatory relationships in conjunction with GH Regulatory Affairs. - Report to the CRC quarterly; report to the ARC on compliance-related risk matters. - Monitor regulatory developments and assess their impact on the Group's operations. - Conduct second-line compliance monitoring and testing (see Section 12.10).
Reporting line. The Group CCO reports to the CEO and has a direct reporting line to the CRC Chair. This dual reporting ensures that the compliance function maintains independence from the business whilst remaining within the Group's management structure. Local MLROs/Compliance Officers report to the Group CCO on compliance matters, with a local management reporting line to the relevant Country Head or entity CEO.
12.1.4 Third Line of Defence - Internal Audit¶
Composition: Group Internal Audit function [to be established - TBC], supported by external auditors (PwC Pakistan, PwC Singapore) for statutory and specific engagements.
Principle: The third line provides independent, objective assurance to the Board and the ARC on the adequacy and effectiveness of the Group's governance, risk management, and internal control frameworks. Internal Audit is independent of both the first and second lines and reports directly to the ARC Chair.
Responsibilities: - Prepare and execute the annual internal audit plan, approved by the ARC. - Conduct audits of compliance programme effectiveness, financial crime controls, operational processes, technology controls, and information security. - Report audit findings, risk ratings, and management remediation plans to the ARC. - Follow up on prior audit findings and report remediation status. - Conduct special investigations as directed by the ARC or the Board. - Provide input to the ARC on the adequacy of the three lines of defence model.
Note: The internal audit function has not yet been formally established. This is a priority gap to be addressed in Q2/Q3 2026. In the interim, the external auditors (PwC) perform certain assurance functions within the scope of their statutory audit, and the Group CCO conducts second-line monitoring which partially compensates. The ARC should commission a plan for the establishment of an internal audit function at its first meeting. [TBC.]
12.2 AML/CFT/CPF Programme¶
12.2.1 Programme Architecture¶
The Group's Anti-Money Laundering, Countering the Financing of Terrorism, and Countering the Proliferation Financing (AML/CFT/CPF) programme is structured as a two-tier architecture: a Group-level programme establishing minimum standards for all entities, supplemented by jurisdiction-specific addenda that adapt those standards to local regulatory requirements.
Tier 1 - Group AML/CFT/CPF Policy. Applicable to all nine entities. Sets out the Group's risk appetite for financial crime, the overall AML/CFT/CPF programme structure, roles and responsibilities, minimum KYC/CDD standards, transaction monitoring requirements, SAR/STR obligations, record-keeping standards, training requirements, and the sanctions programme. Owned by the Group CCO; approved by the Board.
Tier 2 - Jurisdiction Addenda. Currently in place for: - Singapore HoldCo (MAS framework) - existing AML/CFT/PF policy - Canada - Commerce Plex (FINTRAC FMSB) - existing AML/CFT/PF policy - Canada - Simpaisa CA (FINTRAC MSB) - existing AML/CFT policy - Pakistan - PublishEx (SBP, FMU) - existing AML/CFT/PF policy
Addenda required (to be drafted): - Bangladesh - Soft Tech / aamarPay (Bangladesh Bank / BFIU / BPSSR 2014) - Nepal - Pay Nest (NRB requirements) - UAE - Simpaisa Technologies (DFSA AML/CFT requirements upon authorisation) - Iraq - Branch Office (CBI requirements; heightened risk)
12.2.2 FATF Alignment¶
The Group's AML/CFT/CPF programme is designed to comply with the FATF Recommendations and their interpretive notes, as the minimum global standard. Where local regulatory requirements exceed the FATF standard (as is increasingly the case for FINTRAC and MAS), local requirements take precedence. Where local regulatory requirements fall below the FATF standard - which may occur in some frontier markets - the Group applies the FATF standard as its minimum, irrespective of local law.
FATF Travel Rule. The Group complies with FATF Recommendation 16 (the Travel Rule) for wire transfers and virtual asset transfers. Originator and beneficiary information is collected, retained, and transmitted with all qualifying transfers. For crypto off-ramping (USDT to PKR via Binance), the Group applies enhanced Travel Rule controls given the VASP context, consistent with FATF Guidance on Virtual Assets.
12.2.3 Programme Components¶
The AML/CFT/CPF programme encompasses: - Business-wide risk assessment (annual Financial Crime Risk Assessment - see 12.2.4 below) - Customer risk assessment and classification - KYC/KYB and Customer Due Diligence (Section 12.3) - Transaction monitoring (Section 12.4) - SAR/STR reporting (Section 12.5) - Sanctions screening (Section 12.6) - Record-keeping (five years minimum, seven years in certain jurisdictions) - Staff training (annual mandatory; role-specific enhanced training) - Independent review / audit (third line)
12.2.4 Annual Financial Crime Risk Assessment¶
The Group conducts an annual Financial Crime Risk Assessment (FCRA) covering all entities, products, customer segments, channels, and geographies. The FCRA is used to: - Identify and assess inherent financial crime risks (ML, TF, PF, fraud, sanctions evasion) - Evaluate the adequacy of controls against each identified risk - Determine residual risk ratings and the Group's overall financial crime risk exposure - Prioritise remediation where residual risk exceeds the Group's risk appetite - Inform the annual AML/CFT programme review and compliance monitoring plan
The FCRA is prepared by the Group CCO, reviewed by the ELT, and approved by the CRC. It is submitted to the relevant regulators where required (FINTRAC, SBP) and retained for regulatory examination purposes.
12.3 KYC/KYB and Customer Due Diligence Standards¶
12.3.1 Risk-Based Approach¶
Simpaisa applies a risk-based approach (RBA) to customer due diligence, consistent with FATF Recommendation 1 (RBA) and the requirements of all applicable regulators. The RBA means that the intensity of due diligence applied to any customer or merchant relationship is proportionate to the assessed risk of that relationship - with simplified due diligence applied to demonstrably lower-risk relationships and enhanced due diligence applied to higher-risk ones.
The risk-based approach is not an option to apply reduced controls universally - it is a structured methodology for allocating more intensive resources where the risk is greatest, whilst maintaining baseline standards across all relationships.
12.3.2 Customer Risk Classification¶
All customers (individual consumers) and merchants/partners (business entities) are assigned a risk classification at onboarding, reviewed periodically, and updated on a trigger-event basis. The classification drives the CDD tier applied.
Risk factors considered (individual consumers): - Country of residence and nationality (high-risk jurisdiction lists: FATF High-Risk Third Countries, EU/OFAC/HMT high-risk lists) - PEP status (current or former Politically Exposed Person and immediate family members / close associates) - Adverse media - Transaction profile (volumes, values, frequency relative to stated purpose) - Channel (face-to-face vs. digital/remote) - Source of funds (where applicable)
Risk factors considered (merchants / business partners): - Jurisdiction of incorporation and operations - Industry / merchant category code (MCC): elevated risk for gaming, gambling, crypto, money transfer, luxury goods, shell companies - Ownership and control structure (beneficial ownership transparency) - PEP links among beneficial owners or directors - Adverse media on entity, directors, or beneficial owners - Transaction profile and business model - Quality and source of KYB documentation
12.3.3 Tiered CDD Framework¶
Tier 1 - Simplified Due Diligence (SDD)
Applied to: Lower-risk customers and merchants where there is demonstrably low ML/TF risk, consistent with applicable regulatory permissions and FATF guidance on SDD. Not applied in jurisdictions where SDD is not permitted.
Minimum requirements: - Name, date of birth (individual) or entity name and registration number (business) - Country of residence / registered office - Verification via one reliable source - Self-declaration of business nature and source of funds (business)
SDD is not available for PEPs, high-risk jurisdiction customers, or where adverse media is identified.
Tier 2 - Standard Customer Due Diligence (CDD)
Applied to: The majority of customers and merchants assessed as medium risk.
Minimum requirements (individual): - Full legal name; date of birth; residential address; nationality - Government-issued photo ID (passport, national ID card) - original or certified copy; or electronic verification via approved biometric or document verification service - PEP screening; sanctions screening - Verification of residential address (utility bill, bank statement, or equivalent, not more than 3 months old) - Statement of purpose of relationship and source of funds (self-declaration at minimum; documented evidence where warranted)
Minimum requirements (business / merchant): - Legal entity name; registration number; country of incorporation - Certificate of incorporation or equivalent legal establishment document - Memorandum and articles of association (or equivalent constitutional document) - Evidence of registered address - Identification of all directors and Ultimate Beneficial Owners (UBOs) holding 25% or more (some jurisdictions require 10% threshold - [TBC by jurisdiction]); CDD on each to individual standard above - Sanctions and adverse media screening on entity, directors, and UBOs - Evidence of regulatory licences where the merchant is itself a regulated entity (payment platforms, financial institutions, crypto exchanges) - Nature of business; products/services to be processed; expected transaction volumes
Tier 3 - Enhanced Due Diligence (EDD)
Applied to: High-risk customers and merchants; all PEPs and their associated parties; customers from FATF High-Risk Third Countries; relationships where standard CDD verification has not been achieved to the required standard; relationships where adverse information has been identified; and relationships where transaction monitoring has flagged unusual activity.
Minimum requirements (in addition to all Tier 2 requirements): - Senior management approval required prior to onboarding (Group CCO or designated senior compliance officer) - Source of wealth documentation: verified evidence of how the customer's or merchant's wealth was accumulated (not just source of funds for the transaction) - Enhanced adverse media screening (deep-dive, including non-English language sources where relevant) - Enhanced sanctions and PEP screening with extended universe (associates, linked entities) - Documented assessment of the business rationale for the relationship and why the risk is acceptable within the Group's risk appetite - Enhanced ongoing monitoring: more frequent transaction monitoring review; lower alert thresholds; more frequent periodic reviews - For PEPs: identification of whether the PEP is domestic or foreign; senior management approval; source of wealth and funds scrutiny; ongoing enhanced monitoring throughout the relationship
Ongoing monitoring. Customer due diligence is not a one-time event. All customer and merchant relationships are subject to periodic review, the frequency of which is calibrated to their risk classification: - High-risk / EDD relationships: minimum annually - Medium-risk / standard CDD: minimum every two years - Low-risk / SDD: minimum every three years
In addition, trigger events (material changes to the customer's profile, unusual transaction activity, adverse media identification, PEP status change, sanctions list inclusion) require an out-of-cycle review regardless of the scheduled review date.
Record-keeping. All KYC/KYB documentation, risk assessments, CDD decisions, and EDD records must be retained for a minimum of five years following the end of the customer relationship (seven years in certain jurisdictions - [TBC by jurisdiction]), in a form that is readily accessible for regulatory examination.
12.4 Transaction Monitoring Programme¶
12.4.1 Overview¶
The transaction monitoring programme is designed to detect and investigate transactions and patterns of behaviour that may indicate money laundering, terrorist financing, proliferation financing, sanctions evasion, or fraud. It operates on a combination of automated rule-based and threshold-based alert generation and human investigator review.
The programme is a core component of the Group's AML/CFT/CPF programme and is subject to annual review, back-testing, and update by the Group CCO. Rule sets and thresholds are calibrated per jurisdiction and per product line to reflect the specific risk profile of each.
12.4.2 Monitoring Architecture¶
Automated monitoring. Transaction data flows from the Group's payment processing platform into the transaction monitoring system in near real time. The monitoring system applies a library of detection scenarios - rules and thresholds - to identify transactions and patterns that meet defined alert criteria. Alerts are generated automatically and queued for analyst review.
Detection scenarios include (not exhaustive): - Single transaction above threshold (jurisdiction-specific; aligned to FINTRAC Large Cash Transaction thresholds in Canada, SBP reporting thresholds in Pakistan, etc.) - Rapid structuring: multiple transactions just below reporting thresholds within a defined time window - Velocity: unusually high transaction frequency for a customer/merchant within a defined period relative to their expected profile - Dormant account activation: resumption of activity after extended inactivity, particularly where the reactivation involves large or unusual transactions - Geographic anomaly: transactions inconsistent with the customer's known profile, particularly involving high-risk jurisdictions - Unusual counterparty patterns: payments to or from the same counterparty across multiple customers (potential layering) - Round-amount transactions: a disproportionate proportion of transactions in round figures (indicator of structuring) - Merchant-specific scenarios: transaction profiles inconsistent with the merchant's stated business category or expected volume band; excessive refund rates; unusual OTC cash patterns
Calibration and tuning. Alert thresholds are calibrated to minimise false positives whilst preserving detection sensitivity. Over-alerting leads to analyst fatigue, slower disposition times, and reduced quality of investigation - a well-documented failure mode in financial crime monitoring programmes. The Group CCO conducts quarterly alert calibration reviews, adjusting thresholds and rule parameters based on alert disposition data, false positive rates, and regulatory feedback. Material threshold changes are documented and reported to the CRC.
Back-testing. Annually, the monitoring programme is back-tested against known typologies and prior suspicious activity cases to confirm that the detection scenarios would have triggered in those circumstances. Back-testing results inform programme updates and are documented for regulatory examination purposes.
12.4.3 Alert Disposition Process¶
- Automated alert generated and assigned to a compliance analyst.
- Analyst reviews underlying transaction data, customer/merchant profile, CDD documentation, and any prior alerts or investigation history.
- Initial triage decision: (a) false positive - alert closed with documented rationale; (b) requires further information - customer or relationship manager contacted; (c) escalate - alert escalated to Senior Analyst / MLRO.
- Where escalated: Senior Analyst / MLRO conducts enhanced investigation, potentially including open-source research, enhanced adverse media review, and cross-referencing with other transactions.
- MLRO decision: (a) no grounds for suspicion - alert closed, documented; (b) reasonable grounds for suspicion - SAR/STR prepared and filed (see Section 12.5); (c) refer for EDD or relationship exit.
- All alert dispositions are documented in the transaction monitoring system and retained for five years minimum.
Tipping-off prohibition. Consistent with applicable legislation in all jurisdictions, no employee may inform a customer, merchant, or any third party that they are the subject of a suspicious activity investigation or that an STR has been or may be filed. This prohibition is absolute and is included in all staff training.
12.5 SAR/STR Reporting¶
12.5.1 Programme Overview¶
The Suspicious Activity Reporting (SAR) / Suspicious Transaction Reporting (STR) programme governs Simpaisa's obligations to report to financial intelligence units (FIUs) across all Group jurisdictions when there are reasonable grounds to suspect that funds are the proceeds of crime, are linked to terrorist financing, or that proliferation financing is occurring.
The decision to file or not file a SAR/STR rests with the MLRO (at entity level) or the Group CCO. No employee may override the MLRO's decision to file; equally, no employee may override the MLRO's reasoned decision not to file. Business considerations - including concern about losing a customer relationship - must never be a factor in the SAR/STR filing decision.
12.5.2 Reporting Obligations by Jurisdiction¶
| Jurisdiction | Filing Body | Reporting Standard | Deadline | Responsible Officer |
|---|---|---|---|---|
| Canada (Simpaisa CA, Commerce Plex) | FINTRAC | Suspicious Transaction Report (STR) - filed when there are reasonable grounds to suspect proceeds of crime or TF | Within 30 days of the day the measures enabling the filing were taken (i.e., of reasonable grounds being formed) | Local Compliance Officers; Group CCO oversight |
| Canada (both entities) | FINTRAC | Terrorist Property Reports | Immediately upon knowledge or reasonable grounds | Local Compliance Officers |
| Pakistan (PublishEx) | Financial Monitoring Unit (FMU) | Suspicious Transaction Report (STR) | Immediately / as soon as possible upon identification of suspicious activity; no prescribed day count but immediate reporting expected under Anti-Money Laundering Act 2010 | PublishEx MLRO; GH Regulatory Affairs |
| Bangladesh (Soft Tech / aamarPay) | Bangladesh Financial Intelligence Unit (BFIU) | Suspicious Transaction Report (STR) | Within the timeframe specified under BPSSR 2014 and BFIU instructions [TBC - confirm current BFIU deadline] | Country Head BD; Local CO |
| Singapore (HoldCo) | Suspicious Transaction Reporting Office (STRO) - part of Commercial Affairs Department | Suspicious Transaction Report | As soon as practicable / ASAP upon knowledge or reasonable suspicion | Group CCO |
| Nepal (Pay Nest) | Financial Information Unit (FIU) Nepal | As per NRB requirements | [TBC - confirm NRB STR deadlines] | Country Head BD&NP |
| Iraq (Branch) | Central Bank of Iraq / Iraqi FIU | As per CBI requirements | [TBC] | GH Regulatory Affairs; local partner |
| UK (Commerce Plex) | National Crime Agency (NCA) - UKFIU | Suspicious Activity Report (SAR) | ASAP; typically within 7 days of identification (consent SAR before proceeding where required) | Commerce Plex MLRO / Compliance Officer |
| UAE (Simpaisa Technologies, post-DFSA authorisation) | UAE Financial Intelligence Unit (UAE-FIU) via goAML portal | Suspicious Transaction Report | ASAP (DFSA AML Rules require prompt reporting) | UAE MLRO (to be appointed) |
12.5.3 Internal Escalation Procedure¶
- Any employee who identifies a suspicious transaction, customer behaviour, or other financial crime indicator must report it internally to the relevant MLRO or Compliance Officer immediately, using the Group's designated internal reporting mechanism (to be formalised and published - [TBC]).
- The MLRO acknowledges receipt and conducts a preliminary review within one business day.
- If the MLRO concludes that reasonable grounds exist, the MLRO prepares the SAR/STR filing, reviews with Group CCO, and files with the relevant FIU within the applicable deadline.
- The filing is recorded in the Group SAR/STR Register maintained by the Group CCO.
- The MLRO notifies the ARC of SAR/STR filings on a quarterly basis (aggregate number and nature, not individual case details which may be subject to tipping-off restrictions).
- Where a SAR/STR filing relates to an ongoing customer or merchant relationship, the MLRO determines whether to suspend, exit, or continue the relationship, in consultation with the Group CCO and legal counsel where required.
12.5.4 Record-Keeping¶
All SAR/STR filings, supporting investigation materials, and internal escalation records are retained in a dedicated, restricted-access compliance case management system. Access is limited to the compliance function and, where required, internal audit and the ARC. Retention period: seven years minimum in Canada (FINTRAC); five years in most other jurisdictions. [Confirm by jurisdiction - TBC.]
12.6 Sanctions Compliance¶
12.6.1 Programme Overview¶
Simpaisa's sanctions compliance programme is designed to ensure that the Group does not conduct any transaction, provide any service, or enter into any relationship with a sanctioned person, entity, or jurisdiction, in contravention of applicable sanctions laws and regulations. Given the Group's geographic footprint - including operations in Pakistan, Bangladesh, Nepal, and Iraq - and its exposure to high-risk corridors, sanctions compliance is a critical control function.
Applicable sanctions regimes include: - UN Security Council Consolidated List - US OFAC (SDN List, sector and geographic programmes relevant to Group corridors) - UK HMT Consolidated List (applicable to Commerce Plex and relevant globally given USD clearing dependencies) - EU Consolidated List (relevant for European correspondent relationships) - DFSA sanctions requirements (upon UAE authorisation) - Canadian OSFI/Global Affairs Canada sanctions (FINTRAC entities) - SBP sanctions requirements (Pakistan) - Bangladesh Bank sanctions guidance
12.6.2 Eastnets Screening Platform¶
Simpaisa uses Eastnets as its primary sanctions screening technology. Eastnets provides: - Real-time screening of all payment transactions against consolidated global sanctions lists - Customer and merchant onboarding screening (name screening against UN, OFAC, HMT, EU, and other configured lists) - Batch screening for periodic re-screening of the existing customer and merchant portfolio - PEP screening integrated with sanctions screening at onboarding and on a periodic basis - Watchlist management: Eastnets maintains and updates list data automatically; the Compliance team is responsible for configuring the screening parameters and monitoring list update notifications
Screening scope. All of the following are screened through Eastnets: - All individual transactions (real-time, at the point of payment initiation) - All customers and merchants at onboarding - All beneficial owners and directors of merchant entities at onboarding - All Group employees in roles with access to payment systems (at appointment and annually) - All correspondent bank and payment partner relationships at onboarding and annually - Periodic re-screening of the full customer/merchant portfolio (minimum quarterly; more frequently for high-risk relationships)
12.6.3 Screening Process and Alert Disposition¶
Step 1 - Screening initiation. For transactional screening, Eastnets receives transaction data from the payment processing platform in real time and screens the originator, beneficiary, and any intermediary names, account numbers, and reference fields against the configured sanctions lists.
Step 2 - Alert generation. Eastnets generates an alert where a potential match is identified based on name-matching algorithms (fuzzy matching, transliteration matching, alias matching). Alerts include a match score and the list/entry triggering the alert.
Step 3 - Initial triage. A sanctions screening analyst reviews the alert. The analyst assesses whether the match is: (a) a clear false positive (e.g., common name with no other matching characteristics) - in which case the alert is closed and documented with rationale; or (b) a potential hit requiring further investigation.
Step 4 - Hit investigation. The analyst gathers all available information about the counterparty: full name, date of birth, nationality, address, business description, and any other identifying information. The analyst compares this information against the details of the sanctions list entry to assess whether there is a true match.
Step 5 - Escalation to MLRO / Compliance Officer. All hits that cannot be clearly resolved as false positives at Step 3 are escalated to the MLRO or Compliance Officer immediately. The transaction is suspended pending resolution; no funds are processed whilst a potential true match is under investigation.
Step 6 - True hit determination. The MLRO / Compliance Officer makes the final determination: true hit or false positive. Where there is any doubt, the default position is to treat as a potential true hit, escalate to the Group CCO and legal counsel, and seek guidance from the relevant regulator before processing.
Step 7 - True hit actions. Where a true sanctions hit is confirmed: - The transaction is blocked / funds frozen in accordance with applicable sanctions laws. - The relevant regulator / FIU is notified in accordance with applicable mandatory reporting requirements (e.g., OFAC reports, FINTRAC notifications, SBP notifications). - The customer/merchant relationship is reviewed and, in most cases, exited. - The incident is documented fully in the Group's Sanctions Incident Register. - The ARC and CRC are notified.
Step 8 - Record-keeping. All screening records, alert dispositions, hit investigation files, and true hit reports are retained for the applicable regulatory period (minimum five years; seven years in some jurisdictions).
12.6.4 Iraq - Heightened Sanctions Controls¶
Given the proximity of Iraq Branch operations to sanctioned entities, persons, and jurisdictions, the Group applies heightened sanctions controls for all Iraq-originated or Iraq-destined transactions: - Enhanced screening parameters (lower fuzzy match threshold) - Manual review of all transactions above a defined threshold ([TBC - threshold to be set by Group CCO in consultation with GH Regulatory Affairs]) - Senior compliance officer sign-off required for any Iraq-related transaction that generates a screening alert, even if assessed as a false positive - Quarterly compliance review of Iraq operations by GH Regulatory Affairs and Group CCO - External legal opinion on permissible Iraq activities to be obtained and refreshed annually [TBC]
12.7 Anti-Bribery and Corruption (ABC) Programme¶
12.7.1 Policy Foundation¶
The Group's ABC programme is governed by the Group Anti-Bribery and Corruption Policy (existing Tier 1 document, approved Q4 2024), applicable to all Group entities, employees, contractors, agents, and third parties acting on behalf of the Group. The programme is consistent with the UK Bribery Act 2010 (which applies to Commerce Plex and has extra-territorial reach relevant to the wider Group), the US Foreign Corrupt Practices Act (FCPA, relevant where US persons or US-listed shares are involved), and applicable local anti-corruption laws in each jurisdiction.
12.7.2 Key Programme Elements¶
Prohibition. The Group prohibits: payment or receipt of bribes in any form (direct or indirect); facilitation payments; corrupt payments to government officials, regulators, or public servants; and any arrangement through agents, intermediaries, or partners that would result in bribery on the Group's behalf.
Gifts and hospitality. The Group maintains a Gifts and Hospitality Register and applies a defined threshold below which gifts and entertainment are permissible (frequency, value, and recipient-type constraints apply). All gifts or hospitality involving government officials, regulators, or supervisors require Group CCO pre-approval regardless of value. [Specific thresholds to be defined in ABC Policy refresh - TBC.]
Third-party due diligence. All agents, intermediaries, and material third-party partners are screened for ABC risk at onboarding, including adverse media searches for corruption-related indicators, assessment of their own ABC controls, and contractual ABC warranties and termination rights.
High-risk jurisdiction management. Operations in Pakistan, Bangladesh, Nepal, and Iraq are assessed as higher-risk for corruption given country-level CPI scores and sectoral context (payments, government relationships, agent networks). Specific controls in these jurisdictions include: - Enhanced third-party due diligence for all agents and sub-agents - No cash payments to agents above defined thresholds - Transparent, documented regulatory engagement processes (no unofficial engagement without senior sign-off) - Local management attestation of ABC compliance quarterly
Regulatory engagement. All engagement with regulators, government officials, and supervisors must be conducted through documented, transparent channels. The GH Regulatory Affairs function owns all formal regulatory relationships; informal or undocumented engagement with regulatory officials is prohibited.
Training. All Group employees complete ABC training at induction and annually thereafter. Employees in higher-risk roles or jurisdictions (regulatory affairs, sales, operations in high-risk markets) receive enhanced, role-specific training. Completion is tracked and reported to the CRC.
Reporting. Employees are required to report any suspicion of bribery or corruption through the Group's reporting channels (including the whistleblowing mechanism - [to be established - see Section 27.4]). Reports are investigated by the Group CCO and, where appropriate, escalated to the Board and/or relevant law enforcement.
12.8 Client Funds Safeguarding¶
12.8.1 Policy Foundation¶
The Group's approach to client funds safeguarding is governed by the Group Client Funds Safeguarding Policy (existing Tier 1 document, approved Q4 2024). This policy applies to all Group entities that hold, receive, or transmit funds on behalf of clients and merchants, and establishes minimum standards for the segregation, protection, and reconciliation of client monies.
12.8.2 Safeguarding Principles¶
Segregation. Client funds - defined as funds received from, or held on behalf of, clients and merchants that have not yet been settled or disbursed - must at all times be held in designated segregated bank accounts, separate from the Group's own operating funds. Commingling of client funds with Group operating funds is strictly prohibited.
Designated accounts. Each regulated entity maintaining client funds must designate specific bank accounts for this purpose, clearly identified as trust, client, or safeguarding accounts in the account documentation. Bank mandates for designated accounts must require the bank to acknowledge the client funds purpose.
Reconciliation. The treasury function performs daily reconciliation of all client fund balances across all designated accounts. The reconciliation confirms that the aggregate balance in designated client accounts equals or exceeds the aggregate client money obligation (i.e., funds owed to clients and merchants). Any shortfall is a critical incident requiring immediate escalation to the CFO and CEO.
Investment of client funds. Where client funds are held overnight or for periods exceeding the settlement cycle, they may only be placed in instruments specified in the applicable safeguarding policy (typically overnight deposits at investment-grade banks; government securities in certain jurisdictions). Client funds may not be invested in instruments carrying material capital or liquidity risk.
Insolvency protection. The safeguarding structure is designed to ensure that, in the event of a Simpaisa entity entering insolvency, client funds held in designated accounts are not available to general creditors and can be returned to clients. Legal counsel reviews the adequacy of the safeguarding structure for each regulated entity against local insolvency law at minimum annually. [TBC - confirm legal review status for each entity.]
12.8.3 Regulatory Compliance¶
Client funds safeguarding requirements vary by jurisdiction: - Canada (FINTRAC entities): Client funds handling consistent with MSB/FMSB obligations; no specific EMI-style safeguarding regime, but Group policy applies Group minimum standards. - UAE (post-DFSA authorisation): DFSA Client Money Rules apply; full client money segregation required; DFSA annual client money audit. - Pakistan (SBP): SBP branchless banking requirements on agent float and client fund handling. - Bangladesh (Bangladesh Bank / aamarPay PSO): Bangladesh Bank PSO conditions on client fund management.
12.9 Anti-Fraud Programme¶
12.9.1 Programme Foundation¶
The Group's anti-fraud programme is built on the existing anti-fraud policies in place for the Canadian entities (Anti-Fraud Policy - Commerce Plex Canada; Anti-Fraud Policy - Simpaisa CA). These are being extended into a Group-level anti-fraud framework in 2026. [Group Anti-Fraud Policy (Tier 1) to be drafted - TBC.]
12.9.2 Fraud Risk Landscape¶
Simpaisa's payment products are exposed to a range of fraud typologies, including:
| Fraud Type | Relevant Products | Key Controls |
|---|---|---|
| Merchant fraud (false merchants, misuse of credentials) | Pay-Ins | KYB at onboarding; transaction monitoring; MDR clawback provisions in MPSA; merchant risk scoring |
| Account takeover (ATO) - merchant portal | All products | MFA on merchant portal; login anomaly monitoring; session management; CISO controls |
| Synthetic identity fraud | Pay-Ins, Wallets | Document verification at KYC; biometric verification where available; device fingerprinting |
| First-party fraud (friendly fraud / chargeback abuse) | Pay-Ins (card) | 3D Secure; chargeback management process; dispute evidence retention |
| Refund / reversal fraud | Pay-Ins | Refund velocity controls; refund-to-sale ratio monitoring; manual review of unusual refund patterns |
| Payment diversion / social engineering | Pay-Outs | Dual-authorisation for large disbursements; beneficiary verification; out-of-band confirmation for changes to beneficiary bank details |
| Agent network fraud | Pay-Ins OTC; Pay-Outs OTC | Agent credentialing; transaction limits; agent behaviour monitoring; daily reconciliation |
| Crypto-related fraud | Crypto off-ramping | VASP due diligence on Binance relationship; FATF Travel Rule compliance; transaction limits; enhanced monitoring |
| Insider fraud | All products | Segregation of duties; privileged access controls; HR screening; internal audit |
12.9.3 Key Controls¶
Prevention: - KYC/KYB standards at onboarding (Section 12.3) prevent fraudulent entities from accessing the platform. - Device fingerprinting and behavioural biometrics on consumer-facing flows where technically feasible. - Transaction velocity limits by payment method, corridor, and merchant. - Merchant portal security: mandatory MFA, session timeout, IP allowlisting for API access.
Detection: - Transaction monitoring (Section 12.4) includes fraud-specific detection scenarios (structuring, velocity, ATO indicators). - Real-time alert monitoring by the NOC/SOC for system anomalies that may indicate platform fraud. - Merchant-level reporting and anomaly detection in the BI/analytics function.
Response: - Fraud incidents are escalated to the CISO, CCO, and CFO depending on nature. - Material fraud events trigger the Group Incident Management process (P1 or P2 classification). - Fraud losses are tracked in the Group fraud loss register and reported to the ARC quarterly. - Regulatory reporting of fraud events as required by applicable local law.
12.10 Compliance Monitoring and Testing¶
12.10.1 Purpose¶
Compliance monitoring and testing is the second-line function's systematic review of whether first-line controls are operating as designed and whether the Group's policies and procedures are being adhered to in practice. It provides the Group CCO and CRC with ongoing, evidence-based assurance on compliance programme effectiveness, distinct from and complementary to the third-line internal audit function.
12.10.2 Monitoring Programme Structure¶
Continuous monitoring. The Group CCO maintains a set of continuous compliance monitoring metrics - drawn from transaction monitoring alert data, KYC completion rates, training completion rates, SAR/STR filing data, and regulatory filing timeliness - that are reviewed monthly by the compliance function and reported to the CRC quarterly.
Periodic deep-dive reviews. The annual compliance monitoring plan designates specific areas for detailed testing each quarter. Testing involves reviewing samples of actual cases (e.g., a sample of CDD files for new merchant onboardings; a sample of transaction monitoring alert dispositions; a sample of SAR/STR filings) and assessing whether the required process was followed, documentation is complete, and decisions are well-reasoned and consistent. Findings are reported to the function head of the area reviewed, with remediation tracked to closure.
Thematic reviews. Where a regulatory development, peer enforcement action, or internal incident suggests a specific risk area, the Group CCO may commission a thematic review focusing on that area across all relevant entities. Thematic review findings are reported to the CRC.
12.10.3 Monitoring Areas - Annual Coverage (Indicative)¶
| Quarter | Monitoring Focus |
|---|---|
| Q1 | KYC/KYB CDD file quality - new merchant onboardings (prior 12 months) |
| Q1 | Training completion rates - all jurisdictions |
| Q2 | Transaction monitoring alert disposition quality - sample review |
| Q2 | SAR/STR filing completeness and timeliness review |
| Q3 | Sanctions screening programme - alert logs, false positive rates, true hit handling |
| Q3 | Canadian FINTRAC reporting obligations - LCTR, EFT, STR |
| Q4 | Pakistan SBP reporting obligations - PublishEx |
| Q4 | Ongoing monitoring / periodic review completion rates for existing CDD |
| Q4 | ABC controls - gifts register, third-party due diligence files |
12.10.4 Reporting¶
Monitoring and testing results are reported: - Monthly: Summary compliance health dashboard to Group CCO - Quarterly: Compliance monitoring report to CRC (including findings, risk ratings, and remediation status) - Annually: Compliance programme effectiveness assessment included in annual FCRA
Material findings - those representing a significant gap in controls, a potential regulatory breach, or a pattern of non-compliance - are escalated immediately to the Group CCO and, where appropriate, to the CEO and CRC Chair, outside the normal reporting cycle.
12.11 Regulatory Reporting Calendar¶
The Regulatory Reporting Calendar provides a consolidated, Group-wide view of all recurring compliance reporting obligations. It is maintained by the GH Regulatory Affairs team and reviewed at each CRC meeting. The calendar below is indicative and subject to regulatory updates; entities are responsible for monitoring their own obligations for any amendments.
| Obligation | Jurisdiction | Entity | Regulator / FIU | Frequency | Approximate Deadline | Responsible Officer |
|---|---|---|---|---|---|---|
| MSB Annual Compliance Report | Canada | Simpaisa CA LTD | FINTRAC | Annual | 31 March | Simpaisa CA CO |
| FMSB Annual Compliance Report | Canada | Commerce Plex Limited | FINTRAC | Annual | 31 March | Commerce Plex CO |
| Large Cash Transaction Reports (LCTRs) | Canada | Both entities | FINTRAC | Per transaction | Within 15 business days | Local Compliance Officers |
| Electronic Funds Transfer Reports | Canada | Both entities | FINTRAC | Per transaction | Within 5 business days | Local Compliance Officers |
| Suspicious Transaction Reports (STRs) | Canada | Both entities | FINTRAC | Per incident | Within 30 days of reasonable grounds | Local Compliance Officers |
| Terrorist Property Reports | Canada | Both entities | FINTRAC | Per incident | Immediately | Local Compliance Officers |
| Schedule H Regulatory Reporting | Pakistan | PublishEx | SBP | Quarterly | Per SBP circular deadlines | GH Regulatory Affairs / Country Head Pakistan |
| Annual Compliance Certification | Pakistan | PublishEx | SBP | Annual | [TBC - confirm with SBP] | GH Regulatory Affairs |
| Suspicious Transaction Reports (STRs) | Pakistan | PublishEx | FMU | Per incident | Immediately / ASAP | PublishEx MLRO |
| PSO Regulatory Reporting | Bangladesh | Soft Tech / aamarPay | Bangladesh Bank | Monthly / Quarterly (per BB instructions) | Per Bangladesh Bank deadlines | Country Head BD / Local CO |
| Suspicious Transaction Reports (STRs) | Bangladesh | Soft Tech / aamarPay | BFIU | Per incident | Per BPSSR 2014 [TBC - confirm deadline] | Country Head BD / Local CO |
| NRB Reporting (partnership model) | Nepal | Pay Nest | NRB | Per NRB requirements | [TBC] | Country Head BD&NP |
| Suspicious Transaction Reports | Nepal | Pay Nest | FIU Nepal | Per incident | [TBC] | Country Head BD&NP |
| MAS Returns | Singapore | Simpaisa Holdings | MAS | Annual / as required | [TBC] | Group CCO / Singapore Secretary |
| DFSA Regulatory Reporting | UAE | Simpaisa Technologies | DFSA | Periodic (post-authorisation) | Per DFSA rulebook | UAE MLRO / GH Regulatory Affairs |
| UK MSB HMRC Registration Renewal | UK | Commerce Plex | HMRC | As required | [TBC] | Commerce Plex CO |
| SAR filing | UK | Commerce Plex | NCA - UKFIU | Per incident | ASAP | Commerce Plex MLRO |
| Group Financial Crime Risk Assessment | All | All entities | Internal / multiple regulators | Annual | March | Group CCO / GH Regulatory Affairs |
| ISO 27001 Surveillance Audit | Group | All entities | BSI / Certification Body | Annual | June | CISO |
| PCI DSS Report on Compliance | Group | Payment-processing entities | Acquiring bank / card schemes | Annual | June | CISO |
| External Audit (Singapore HoldCo) | Singapore | Simpaisa Holdings | PwC Singapore | Annual | February | Global CFO |
| External Audit (Pakistan) | Pakistan | PublishEx | PwC Pakistan | Annual | February | Global CFO |
Document: Section 04-11-12 - Governance, Regulatory and Compliance Version: 0.1 | April 2026 | Owner: Chief Digital Officer Classification: Confidential - Board and Executive Distribution Only Status: Draft for Board Review - items marked [TBC] require Board confirmation or further regulatory/legal input