Simpaisa Group Operating Model¶
Sections 1, 2, 13, and 14 - Introduction, Strategic Context, Enterprise Risk, and Islamic Finance¶
Version 0.1 | April 2026 | Document Owner: Chief Digital Officer¶
Section 1: Introduction and Purpose¶
1.1 Document Purpose and Scope¶
This document is the Simpaisa Group Operating Model. It is the authoritative reference for how Simpaisa Holdings PTE. Limited and its subsidiary and affiliated entities are organised, governed, and operated. It covers the group's corporate structure, people model, core business processes, risk and compliance frameworks, technology architecture, financial operations, country-level operating models, and the policy landscape that governs the entire enterprise.
The operating model has been prepared to serve four interconnected purposes.
Internal governance and management. As Simpaisa has grown from a single-market payments operator into a nine-entity group processing over one billion dollars in transactions across three live markets - and expanding into Saudi Arabia, MENA, and Central Asia - the complexity of managing the business through informal mechanisms has reached its natural limit. This document makes explicit what was previously implicit: who decides what, who is accountable for which outcomes, how processes work end-to-end, and what standards apply across the group.
Regulatory and licence readiness. Simpaisa's expansion trajectory requires engagement with regulators of significantly greater sophistication than those encountered in Pakistan and Bangladesh. The DFSA Category 3D application process, SAMA Major Payment Institution licensing in Saudi Arabia, and National Bank of Kazakhstan requirements all demand that Simpaisa present a coherent, documented, and auditable operating model. Regulators at this tier do not accept verbal explanations of how a group functions; this document provides the written substance to support regulatory submissions, examinations, and on-site visits.
Investor and board confidence. Simpaisa's shareholders - including Planet N Group (Nadeem Hussain, founder of Easypaisa and former State Bank of Pakistan board member) and Sarmayacar VC - expect a level of institutional governance commensurate with the company's scale and ambitions. This operating model gives the board line of sight across all material dimensions of the business: risk, compliance, organisational accountability, and operational resilience.
Organisational alignment and onboarding. A 180-person organisation operating across Pakistan, Bangladesh, Nepal, Iraq, the UAE, Singapore, Canada, and the United Kingdom cannot rely on tribal knowledge. New hires - particularly at senior and management levels - require a single reference that orientates them to how the group works. This document provides that reference.
Scope. The operating model covers Simpaisa Holdings PTE. Limited (Singapore HoldCo) and all subsidiaries and branch offices within the group as at April 2026, comprising: PublishEx Solutions PVT Limited (Pakistan); Simpoysha BD Limited (Bangladesh); Soft Tech Innovation PVT LTD / aamarPay (Bangladesh); Simpaisa Technologies LTD (UAE); Commerce Plex Limited (UK); Simpaisa CA LTD (Canada); Simpaisa Holdings PTE. LTD Iraq Branch Office; and Pay Nest PVT LTD (Nepal). Where content is entity-specific, this is indicated. Where content describes group-level standards and frameworks, it applies to all entities unless an explicit carve-out is stated.
The operating model does not restate the full text of existing policy documents. Where a policy already exists - for example, the Group Compliance Framework, Group Sanctions Policy, or AML/CFT/CPF programme documentation - this document cross-references and summarises the policy, describes how it operates in practice, and identifies any known gaps to be addressed. A full policy index is provided in Section 27.
1.2 How to Use This Document¶
The operating model is structured across eleven parts. Not every reader needs to engage with every part. The following guide directs each audience to the sections most relevant to their role and responsibilities.
Board of Directors. Start with Part I (Sections 1 and 2) for the strategic context, then proceed to Part II (Sections 3 and 4) for governance structure and delegation of authority. Section 13 (Enterprise Risk Management) and the country risk profiles are essential reading for directors serving on the Audit and Risk Committee and the Compliance and Regulatory Committee. Section 14 (Islamic Finance) is relevant to directors providing oversight of expansion into Saudi Arabia and MENA.
Executive Leadership Team. Part I through Part IV are essential reading in full. The RASCI matrices in Section 7 define where your function has authority versus where it has accountability or a consulting role across each of Simpaisa's core business processes. Each C-level executive should also read their relevant country operating model sections (Part IX), particularly where their function intersects with in-country operations.
Country Heads and Country-Level Management. Sections 1, 2, and 3 provide the group context. Section 4 clarifies governance delegation. The country-specific section within Part IX is the primary operational reference for your market. Sections 11 and 12 cover the regulatory and compliance frameworks that you are responsible for implementing at the country level.
Technology and Engineering (CTO and CISO Organisations). Part VI (Sections 15 and 16) is the primary reference. Section 13.8 covers technology and cyber risk within the ERM framework. Section 7 contains RASCI matrices for technology change management, incident management, and product development.
Finance and Treasury. Part VII (Sections 17 and 18) is the primary reference. Section 13.4 covers financial risk - FX, liquidity, credit, counterparty, and settlement risk - which should be read in conjunction with Section 18.
Risk, Compliance, and Regulatory Affairs. Part V (Sections 11 through 14) is the primary reference. Section 13 contains the ERM framework and risk appetite statement. Section 14 provides the Shariah compatibility framework and Islamic market operational guidance. Section 11 contains the full licensing map.
Product and Commercial Teams. Sections 8 and 9 cover the product operating models and commercial operations in detail. Section 14.2 covers merchant Shariah screening, which intersects directly with the KYB onboarding process owned by Product and Compliance jointly.
Human Resources. Section 19 covers people strategy and HR operations. Section 5 provides the organisational structure. Section 6 provides executive and management role profiles.
New Joiners. Begin with Sections 1 and 2 for the company context, then read Section 5 (Organisational Design) to understand the group structure, and Section 6 for the role profile relevant to your position. Your line manager should direct you to the specific operational sections most relevant to your function.
1.3 Document Governance¶
Owner. This operating model is owned by the Chief Digital Officer (CDO), Daniel O'Reilly, who oversees Product, Security, Data, and Technology. The CDO is responsible for ensuring the document remains current, accurate, and complete, and for commissioning updates when material changes occur.
Review cadence. The operating model is subject to a formal review on a quarterly basis, timed to align with the board's quarterly governance cycle. Scheduled review dates for the remainder of 2026 are: 30 June, 30 September, and 31 December. Reviews are conducted by the CDO with input from the relevant functional owners for each section.
Trigger-based updates. In addition to quarterly reviews, the document must be updated promptly upon the occurrence of any of the following events: entry into a new market or activation of a new corridor; acquisition of a new regulatory licence or material change in licensing status; significant restructuring of the group's corporate or organisational structure; acquisition or disposal of a subsidiary or equity stake; material change in a product, product line, or technology architecture; or a material risk event that requires changes to risk management processes or controls.
Change management. Proposed changes to the operating model are submitted to the CDO. Changes to sections with regulatory implications - including Sections 11 through 14 - require review by the Global Head of Regulatory Affairs and the relevant functional head (Global CFO for financial risk; CISO for technology and cyber risk; CPO for product-related changes) before the CDO approves and publishes the updated version.
Version control. The operating model uses a major/minor versioning scheme. Major versions (1.0, 2.0) denote significant structural revisions. Minor versions (1.1, 1.2) denote targeted section updates. All versions are maintained in the Simpaisa data room under the Operating Model folder. Each published version is accompanied by a change log entry in Appendix H, recording the section(s) changed, the nature of the change, the approver, and the effective date.
Current version. This is Version 0.1, representing the initial draft of the operating model. Sections are being completed progressively in priority order. Sections not yet finalised are indicated with a [DRAFT] or [PENDING] marker. The operating model will be designated Version 1.0 upon completion of all sections and formal sign-off by the CEO.
Confidentiality. This document is classified as Simpaisa Confidential. It may be shared with regulators, auditors, and investors under appropriate confidentiality arrangements but is not for public distribution.
Section 2: Company Overview and Strategic Context¶
2.1 Company History and Evolution (2016–Present)¶
Simpaisa was founded in 2016 by Yassir Pasha, who brings prior experience from Morgan Stanley, with an insight that has since been validated by the trajectory of the business: that the world's fastest-growing consumer economies - concentrated in frontier markets across South Asia, the Middle East, and Africa - are severely underserved by the existing cross-border payments infrastructure. The large global payment networks were built for developed markets with mature banking systems, stable currencies, and well-established correspondent relationships. They perform poorly in markets where mobile wallets outnumber bank accounts, where currencies are volatile and subject to capital controls, and where the last-mile delivery of funds requires integration with dozens of local mobile money operators, agent networks, and regional banks.
Pasha's co-founder thesis was that the company best positioned to serve this gap would not be a global network trying to retrofit itself for frontier markets, but a native frontier-market operator that understood the local regulatory, technological, and cultural landscape from the ground up. That thesis has been borne out.
2016–2018: Founding and Pakistan entry. Simpaisa established its first operational entity - PublishEx Solutions PVT Limited - in Pakistan and built its initial payment rails under the State Bank of Pakistan's Schedule H framework, operating through United Bank Limited and 1LINK for interbank transactions. Pakistan was chosen as the founding market because of its scale (a population exceeding 230 million), its high mobile wallet penetration relative to formal banking, and its substantial diaspora remittance corridors - particularly from the United Kingdom, Canada, and the Gulf. In the early period, the team focused on building the technical integrations with Pakistan's mobile wallet operators (Easypaisa, JazzCash, HBL Konnect, Alfa) and establishing the correspondent and bank relationships required to operate as a payment aggregator.
2019–2020: Investor backing and product expansion. Simpaisa attracted early-stage backing from Sarmayacar, Pakistan's leading technology venture capital fund, and grant funding from Karandaaz, a financial inclusion initiative supported by the Bill and Melinda Gates Foundation. This capital supported the expansion of the product portfolio - from initial pay-in collections to the addition of pay-out (disbursement) capabilities - and the deepening of the Pakistan merchant base. Landmark merchant relationships with global companies including Google, Samsung, and Tencent (for in-game payments via Garena and related platforms) established Simpaisa's credentials as a reliable aggregator capable of handling tier-one merchant volumes.
2021–2022: Regional expansion and the Bangladesh entry. Simpaisa expanded into Bangladesh through the establishment of Simpoysha BD Limited and, subsequently, through the acquisition of a strategic equity stake in Soft Tech Innovation PVT LTD, the company operating the aamarPay payment aggregator. The aamarPay acquisition gave Simpaisa an operational PSO-licensed platform in Bangladesh rather than requiring a ground-up build, accelerating time to market materially. Bangladesh's payment landscape - dominated by bKash, Nagad, and Rocket - required a different technical and commercial approach from Pakistan, and the aamarPay team's existing relationships with Bangladesh Bank and the mobile money operators proved essential.
2022–2023: Multi-corridor architecture and Nepal entry. Simpaisa established Pay Nest PVT LTD in Nepal, adding a third frontier-market corridor. Nepal's payments landscape is distinct from both Pakistan and Bangladesh: it is dominated by fintech wallets (Khalti, e-Sewa, IME Pay) rather than mobile network operator wallets, and it has a significant inbound remittance economy driven by Nepali migrant workers in the Gulf and Malaysia. Nepal Rastra Bank's regulatory requirements - including minimum capital thresholds - presented barriers that Simpaisa's multi-entity structure was designed to navigate. The group also activated Canada-based entities (Simpaisa CA LTD and Commerce Plex Limited) as MSB and FMSB licensed remittance origination points, enabling regulated corridor flows from North America.
2023–2024: Crypto off-ramping and strategic partnership with Binance. Simpaisa developed and launched a crypto off-ramp product, enabling merchants and individuals to convert USDT into Pakistani rupees and receive settlement via local payment rails. The strategic partnership with Binance - the world's largest cryptocurrency exchange by volume - provided immediate access to significant USDT flow seeking fiat conversion in a market where formal exchange channels are constrained by capital controls. This product required investment in VASP-compatible AML/CFT controls, including FATF Travel Rule compliance capabilities, and deepened Simpaisa's expertise in a product category that is growing rapidly across its target markets.
2024–2025: White-label wallets, Iraq entry, and scale-up. Simpaisa launched its white-label wallet product, enabling third-party partners to offer branded digital wallet services on Simpaisa's multi-tenant infrastructure. The company established a branch office in Iraq, entering a market with distinctive characteristics: a large unbanked population, substantial reconstruction-driven payment volumes, and a regulatory and sanctions environment requiring heightened controls. The company achieved and maintained ISO 27001 and PCI DSS certifications during this period, reflecting the maturity of its information security programme. Total transaction volumes exceeded one billion dollars, and the group reached approximately 180 employees across its entities.
2025–2026 and beyond: MENA and Central Asia expansion. Simpaisa is in active expansion mode. Saudi Arabia is the priority growth market, being pursued initially through an aggregator model via a local processor, with a pathway to a SAMA Major Payment Institution licence. Central Asia - specifically Kazakhstan and Uzbekistan - and broader MENA (Egypt, Jordan, Kuwait, Bahrain, Oman) are under active evaluation. The DFSA Category 3D licensing process for the UAE/DIFC operation is in progress. Simpaisa Technologies LTD, the UAE entity, is the planned vehicle for the group's DIFC-regulated operations and the hub for MENA commercial relationships.
2.2 Vision, Mission, and Values¶
The name. Simpaisa is derived from the Urdu and Hindi words sim (simple) and paisa (money). Paisa is the everyday word for money across the Urdu- and Hindi-speaking world - the word used by a street vendor collecting payment, a family sending funds to relatives in the village, a worker receiving a wage. The name is deliberate: Simpaisa exists to make money movement simple for people and markets that the incumbent financial system has made it complicated for.
Vision. To be the defining payments infrastructure for frontier markets - the platform through which money moves simply, reliably, and affordably across the world's fastest-growing and most underserved corridors.
Mission. To connect global commerce with frontier markets by building the deepest, most reliable, and most locally embedded payment network in each market we serve, enabling merchants, financial institutions, and individuals to transact across borders without friction.
Values. Simpaisa's values have been shaped by the environments in which it operates: markets where financial infrastructure fails regularly, where regulatory change is sudden, where the communities served have been excluded from formal financial services for generations, and where the team must exercise technical excellence and cultural sensitivity simultaneously.
Frontier-first. We do not treat frontier markets as afterthoughts or edge cases. Our architecture, our commercial model, and our organisational design are built around the specific realities of operating in Pakistan, Bangladesh, Nepal, Iraq, and beyond. When a payment fails because of a telco outage in Karachi or a foreign exchange control in Dhaka, our team treats it with the same urgency as a system failure would receive in any tier-one market.
Earned trust. We operate in regulated industries with significant financial crime, fraud, and geopolitical risk. Our merchants, regulators, and bank partners extend trust to Simpaisa on the basis of demonstrated competence and integrity. We do not cut corners on compliance, do not compromise on security, and do not promise what we cannot deliver. Trust is earned slowly and lost quickly.
Local depth, global standards. We hold ourselves to global standards - ISO 27001, PCI DSS, FATF compliance - whilst operating with the depth of local knowledge that only comes from years of on-the-ground engagement. Our teams in Pakistan, Bangladesh, and Nepal are not outposts of a Dubai head office; they are subject-matter experts in their markets, whose knowledge is central to the product and the platform.
Commercial discipline. Simpaisa is profitable. In an industry where payment companies frequently chase volume at the expense of margin, we have maintained commercial discipline - pricing for sustainable returns, managing float efficiently, and entering new markets on the basis of a credible business case rather than growth-at-any-cost logic.
Inclusive by design. Financial inclusion is not a brand exercise. Our products reach users who are unbanked or underbanked, operating on mobile wallets in markets where a formal bank account is either inaccessible or unaffordable. We treat this as a commercial opportunity and as a responsibility.
2.3 Strategic Pillars and Growth Thesis¶
Simpaisa's strategy for the period 2025–2028 is organised around five interlocking pillars. These pillars are not independent programmes; they reinforce one another and are designed to compound Simpaisa's competitive position over time.
Pillar 1: Geographic expansion. Simpaisa's immediate priority expansion markets are Saudi Arabia, Kazakhstan, and Uzbekistan, with Egypt, Jordan, and the broader Gulf under active evaluation. The expansion thesis is not simply to add markets for volume; it is to expand the set of corridors that Simpaisa can serve end-to-end. Saudi Arabia is the single largest source of remittances to Pakistan and Bangladesh, and activating the Saudi-Pakistan and Saudi-Bangladesh corridors with Simpaisa's own infrastructure on both ends - rather than relying on correspondent banks - transforms the economic model of that corridor entirely. The same logic applies to Central Asia, where migrant worker remittance flows to South Asia are substantial and underserved. Geographic expansion is sequenced: regulatory readiness precedes commercial launch, and a partnership or aggregator phase precedes own-licence operation.
Pillar 2: Product deepening. Simpaisa's core products - Pay-Ins, Pay-Outs, and Remittances - generate the majority of revenue. The white-label wallet and crypto off-ramp products represent the next tier of product complexity and margin opportunity. Within existing products, the deepening agenda focuses on: expanding the payment method matrix within each market (adding new mobile wallets, bank integrations, and agent network access as they become available); improving settlement speed and reducing settlement risk; and developing analytics and reconciliation capabilities that reduce the operational burden on merchant integration teams. Product deepening also includes the Zakat payment facilitation capability, which is discussed in Section 14.4, and which represents a meaningful commercial opportunity in Saudi Arabia and Gulf markets during the Islamic calendar's annual Zakat season.
Pillar 3: Corridor density and network effects. A payments network becomes more valuable - and more defensible - as the number of corridors it supports increases. Each new sending-market licence and each new receiving-market rail adds value to every other corridor on the network. A merchant processing payments in five Simpaisa markets benefits from a single integration, a single reconciliation interface, and a single compliance relationship. The network effect compounds: as Simpaisa becomes the dominant aggregator on a given corridor, its pricing, reliability data, and regulatory relationships create barriers to entry that a new entrant cannot easily replicate. Corridor density is therefore a strategic priority independent of the individual economics of any single corridor.
Pillar 4: Regulatory moat. Simpaisa's policy is to hold its own licences in each market it operates in, rather than relying indefinitely on sub-licensing arrangements or operating under a partner's regulatory umbrella. Own-licence status transforms the regulatory relationship from a dependency into a competitive advantage: it gives Simpaisa direct access to central bank payment systems, direct relationships with local regulators, and the ability to offer licensed services to correspondents and partners who lack local licences themselves. The regulatory moat is built over time and at significant cost - the DFSA Category 3D application, for example, requires demonstrating adequate governance, capital, and systems before a licence is granted - but the resulting barrier is high and durable.
Pillar 5: Islamic-market alignment. Approximately 1.8 billion Muslims live in Simpaisa's current and target markets. Pakistan, Bangladesh, Iraq, Saudi Arabia, Kazakhstan, and Uzbekistan are all majority-Muslim countries. Simpaisa is not an Islamic financial institution, and its products are not structured as Islamic financial products per se. However, the company's commitment to operating in a manner that is compatible with Islamic finance principles - avoiding interest-bearing float structures where alternatives are available, rigorously screening merchants for haram activities, demonstrating cultural competency in all market interactions, and developing capabilities that serve Islamic-market specific needs such as Zakat facilitation - is a material differentiator relative to global payment aggregators that treat Islamic-market sensitivity as an afterthought. This pillar is explored in full in Section 14.
2.4 Target Operating Model Summary - Deloitte TOM Framework¶
Simpaisa's operating model is structured around the Deloitte Target Operating Model framework, which organises operational design across six dimensions. This framework provides a structured approach to ensuring that all elements of the operating model are coherent and mutually reinforcing.
Strategy. The strategy dimension captures the company's purpose, the markets it serves, the products it offers, and the competitive positioning it seeks. At Simpaisa, strategy is set by the CEO and Executive Leadership Team, validated by the board, and translated into operational priorities through the annual planning cycle. The five strategic pillars described in Section 2.3 constitute the strategy layer of the TOM. The strategy dimension also includes the market entry evaluation framework (Section 26.1), which provides a standardised scorecard for assessing new corridor opportunities against regulatory, commercial, technical, and risk criteria.
Governance. The governance dimension covers the board and committee structure, the executive leadership mandate, the delegation of authority framework, and the document and policy governance regime. At group level, governance is exercised through the Board of Directors and its four committees: Audit and Risk; Compliance and Regulatory; Remuneration and Nomination; and Technology and Information Security. Executive governance is exercised through the CEO's twelve-person leadership team and the group-wide RASCI matrices that define accountability for each major process. Document governance - including the operating model itself - is described in Section 1.3.
Processes. The processes dimension covers the end-to-end business processes that constitute Simpaisa's operational activity: payment collection and disbursement, remittance processing, merchant onboarding, settlement and reconciliation, compliance screening, incident management, and regulatory reporting. These processes are documented in Parts III and IV of the operating model, with RASCI matrices in Section 7 defining the accountability framework for each process across all functional areas. Process standards are set at group level and adapted at the country level to reflect local regulatory requirements and payment infrastructure characteristics.
People. The people dimension covers organisational design, role definition, headcount planning, capability development, and culture. Simpaisa operates a hybrid model combining global functional teams and geographic P&L ownership, as described in Section 5. The people dimension is under active development: as the company moves from 180 employees to the scale required to support MENA and Central Asia expansion, the talent model, compensation framework, and learning and development programme must evolve in parallel with the business. Section 19 covers the people strategy in detail.
Technology. The technology dimension covers the platform architecture, infrastructure, development practices, and quality assurance that underpin the payment products. Simpaisa's technology is built on AWS cloud infrastructure (with Cloudflare deployed in-country for markets requiring local data sovereignty), an active-active disaster recovery architecture, and an SRE operating model for platform reliability. The technology stack - including the payment gateway, processing engine, settlement engine, merchant portal, and partner APIs - is described in Section 15. Information security is covered in Section 16, including the ISMS (ISO 27001 certified) and PCI DSS programme.
Data. The data dimension covers how Simpaisa collects, manages, governs, and exploits data as a strategic asset. In a payments business, data is the raw material for transaction monitoring and financial crime detection, for commercial analytics and merchant performance reporting, for regulatory reporting, and increasingly for product intelligence. The data function sits within the CDO's organisation and is responsible for data governance, data architecture, reporting infrastructure, and the analytics capabilities that serve the commercial and operational teams. A Data Governance Policy is identified as a priority gap in the policy roadmap (Section 27.4).
2.5 Competitive Positioning¶
Simpaisa operates in a global cross-border payments market that is growing rapidly and attracting increasing competitive attention from both incumbent global networks and specialist emerging-market operators. Understanding where Simpaisa is positioned relative to its primary competitors is important context for the operating model, because the competitive environment shapes product priorities, pricing strategies, technology investment, and the pace of regulatory moat-building.
The competitive landscape. Simpaisa's primary competitors across its current and target markets can be grouped into three tiers.
Global emerging-market aggregators - dLocal, Thunes, TerraPay, and Flutterwave - are the most direct comparators. Each has raised significant capital, operates across multiple emerging and frontier markets, and serves a similar merchant profile (global technology companies, e-commerce platforms, and financial institutions seeking to access difficult markets). These players have significant advantages in sales resources, brand recognition among global enterprise merchants, and established relationships with global card networks.
Regional network providers - including Mastercard's Send network and Western Union's B2B offering - serve remittance and commercial payment corridors but are structurally constrained by their reliance on correspondent banking networks, which perform poorly in frontier markets.
Local payment aggregators and PSOs - aamarPay in Bangladesh (in which Simpaisa holds a stake), Easypay and Nift in Pakistan, Khalti and e-Sewa in Nepal - are market-specific operators who compete within a single country but lack the cross-border capability that Simpaisa's merchant base requires.
Simpaisa's differentiation. Against this landscape, Simpaisa competes on four specific dimensions where it has genuine and defensible advantages.
Frontier-market depth. dLocal, Thunes, and TerraPay each serve Pakistan and Bangladesh as markets in their global portfolio. Simpaisa's entire business has been built in these markets. The company's engineering teams, operational teams, and country leadership have years of experience navigating the specific failure modes of South Asian payment infrastructure - telco wallet downtime, IBFT cut-off windows, SBP settlement cycle mechanics, Bangladesh Bank foreign exchange reporting requirements. This depth of operational knowledge translates into meaningfully higher success rates and faster issue resolution than competitors who manage these markets as part of a global portfolio from a remote operations centre.
Local licensing and direct rail access. Simpaisa holds or is in the process of obtaining its own licences in each market it operates in. This gives it direct access to local central bank payment systems - 1LINK in Pakistan, NPSB and BEFTN in Bangladesh - without the dependency on a locally licensed intermediary. Competitors operating without local licences must route through a licensed local partner, which adds cost, adds a settlement lag, and adds a dependency that limits their ability to offer the same service reliability commitments that Simpaisa can make. Local licensing also gives Simpaisa a direct regulatory relationship that enables faster resolution of operational issues that require regulatory engagement.
Islamic-market expertise. None of Simpaisa's primary global competitors has made Islamic-market alignment a specific element of their operating model or product design. Simpaisa's approach to merchant screening for haram activities, its cultural competency in market operations, and its capability development around Islamic finance-adjacent products (Zakat facilitation, Ramadan operational readiness) are not simply ethical commitments - they are commercial differentiators in markets where merchants, partners, and regulators value a counterparty that understands and respects the Islamic finance context.
Corridor economics. Because Simpaisa's network is concentrated on a small number of very high-volume corridors - principally South Asia, with specific sending markets in North America, the Gulf, and the United Kingdom - its corridor economics are materially better than those of a competitor managing fifty corridors with average volume. The Pakistan-Canada corridor, the Bangladesh-UK corridor, and the emerging Pakistan-Saudi Arabia corridor each benefit from Simpaisa's deep operational investment, producing better FX spreads, lower failure rates, and faster settlement than a globally spread competitor can achieve on a lower-volume corridor with less operational focus.
Section 13: Enterprise Risk Management¶
13.1 ERM Framework¶
Simpaisa's Enterprise Risk Management framework establishes the approach by which material risks to the group are identified, assessed, managed, monitored, and reported. The framework is grounded in Simpaisa's existing Risk Assessment Policy (in the data room) and is extended in this section to cover the full taxonomy of risks relevant to a cross-border payments aggregator operating in frontier markets.
Risk taxonomy. The group's risks are organised across seven categories, each of which is addressed in a dedicated subsection below:
- Operational Risk (Section 13.3)
- Financial Risk (Section 13.4)
- Regulatory and Compliance Risk (Section 13.5)
- Geopolitical and Country Risk (Section 13.6)
- Fraud Risk (Section 13.7)
- Technology and Cyber Risk (Section 13.8)
- Strategic and Reputational Risk
Risk management principles. Simpaisa applies the following principles across the ERM framework:
The three-lines model is the organising governance structure. The first line comprises the business functions - Technology, Operations, Product, Commercial, Country teams - which own and manage risk within their day-to-day activities. The second line comprises Risk and Compliance, which set frameworks, provide oversight, and challenge the first line's risk assessments and controls. The third line is Internal Audit, which provides independent assurance to the board and Audit and Risk Committee.
Risk appetite is set by the board and is expressed both qualitatively and quantitatively. The Risk Appetite Statement in Section 13.2 translates board-level appetite into operational boundaries that inform day-to-day risk decisions.
Risk assessment methodology uses a standard likelihood-impact matrix, with risks assessed on a five-point scale across both dimensions before and after controls (gross and net risk ratings). Risk ratings are used to prioritise management attention, set control investment levels, and determine escalation thresholds.
Risk ownership is assigned at the executive level. Each risk category has a named executive owner who is responsible for ensuring that the relevant controls are designed, operating effectively, and that the risk is reported to the Risk and Compliance function on the agreed schedule.
13.2 Risk Appetite Statement¶
The following risk appetite statement has been approved by the Simpaisa board. It articulates the level of risk the group is willing to accept across each major risk category in pursuit of its strategic objectives. The statement is reviewed annually and following any material change in the business or its operating environment.
Financial crime and sanctions risk. Simpaisa has zero appetite for wilful or negligent facilitation of money laundering, terrorist financing, proliferation financing, or sanctions evasion. The group accepts that, operating at scale across frontier markets, suspicious activity will be identified and that some activity that completes processing will subsequently prove to be illicit in nature; this is an inherent feature of high-volume payment operations, not evidence of systemic control failure. The group's obligation - and its appetite - is to maintain robust controls, to report suspicious activity promptly, and to act immediately when a control failure is identified.
Regulatory compliance risk. Simpaisa has low appetite for regulatory non-compliance. The group accepts that regulatory requirements in frontier markets change frequently and sometimes with limited notice, and that a short period of non-compliance during a transition to new requirements is possible. Wilful non-compliance, failure to engage regulators proactively, or regulatory breach resulting from inadequate resourcing of the compliance function are not acceptable. Material regulatory breaches that could result in licence suspension or revocation are treated as priority-one risk events.
Operational risk. Simpaisa accepts moderate operational risk as an inherent feature of the payment processing business in frontier markets. The group targets 99.9% platform availability, recognising that infrastructure failures, telco outages, and payment rail downtime in its operating markets create unavoidable operational risk. The group's active-active disaster recovery architecture, SRE model, and business continuity programme are designed to contain the impact of operational events within tolerable bounds. The group does not accept operational risk arising from inadequate controls, under-resourced operations teams, or deferred technology investment.
Financial risk. Simpaisa has low to moderate appetite for FX risk. The group operates in frontier currencies - Pakistani rupee, Bangladeshi taka, Nepali rupee, Iraqi dinar - that are structurally volatile and subject to capital controls. The group manages FX exposure through short settlement windows, pre-funding disciplines, FX hedging where instruments are available, and pricing that incorporates FX risk into the MDR or spread. The group does not accept FX risk arising from inadequate treasury controls or from settlement mismatches that could create unhedged long positions in volatile currencies. Liquidity risk appetite is low: the group must maintain sufficient float in each operating market to meet settlement obligations at all times.
Technology and cyber risk. Simpaisa has low appetite for technology and cyber risk. ISO 27001 certification and PCI DSS compliance are not treated as endpoints but as the minimum baseline. The group accepts that a sophisticated and persistent threat actor may, over time, penetrate any network; the group's appetite for the impact of such an event is low, and the group's investment in detection, response, and recovery capabilities reflects this. Zero-day vulnerabilities and supply-chain attacks in cloud provider infrastructure are accepted as risks that cannot be fully mitigated; their impact must be managed through defence-in-depth architecture and rapid incident response.
Fraud risk. Simpaisa has low appetite for fraud loss arising from inadequate controls. The group accepts that some level of fraud is inherent in high-volume payment processing, and that fraud loss within defined thresholds - expressed as a percentage of total processed volume - is an acceptable cost of operation. Fraud loss exceeding the defined thresholds, or fraud resulting from inadequate merchant screening, KYC/KYB failures, or transaction monitoring gaps, is not acceptable.
Geopolitical and country risk. Simpaisa accepts moderate geopolitical and country risk as an inherent feature of frontier-market operations. The group's strategy is explicitly oriented towards markets that carry geopolitical risk - and the group earns a premium for accepting and managing that risk. The group does not accept geopolitical risk that exposes it to sanctions liability, that creates unmanageable operational disruption, or that results in an inability to repatriate revenues from a market.
13.3 Operational Risk¶
Key Risk Indicators¶
The following Key Risk Indicators (KRIs) are monitored by the Operations and Technology functions and reported to the Risk and Compliance function on a weekly basis, with threshold breaches triggering immediate escalation.
| KRI | Metric | Amber Threshold | Red Threshold |
|---|---|---|---|
| Transaction success rate - Pay-Ins | Percentage of initiated transactions completed successfully | < 95% | < 90% |
| Transaction success rate - Pay-Outs | Percentage of disbursements completed within SLA | < 94% | < 88% |
| Platform availability | Uptime percentage (rolling 30-day) | < 99.5% | < 99.0% |
| Settlement break rate | Percentage of settlement cycles with unresolved breaks at T+2 | > 2% | > 5% |
| Failed transaction resolution time | Average time to resolve failed transactions (hours) | > 24 hours | > 48 hours |
| Reconciliation completion - on time | Percentage of daily reconciliation cycles completed by cut-off | < 98% | < 95% |
| Incident frequency - P1 and P2 | Count of P1 and P2 incidents per calendar month | > 2 | > 5 |
| Third-party API availability - critical partners | Availability of critical payment rail APIs (MNOs, banks) | < 97% | < 95% |
| Pending transaction queue - age | Count of transactions pending > 48 hours | > 500 | > 1,000 |
| Chargeback rate | Chargebacks as percentage of settled volume | > 0.5% | > 1.0% |
Incident Management¶
Simpaisa uses a four-tier incident classification system aligned with the SRE operating model. All incidents are logged in the incident management system in real time, with mandatory post-incident review for P1 and P2 events.
Priority 1 (P1) - Critical. Complete payment processing outage affecting all or substantially all transactions in one or more live markets; breach of client SLA at a level that threatens commercial relationship or regulatory sanction; security incident involving confirmed data exfiltration or system compromise. Target time to mitigate: 1 hour. Target time to resolve: 4 hours. Immediate notification to: CISO, CTO, Country Head Pakistan, CEO, CDO. Board notification within 24 hours for security incidents.
Priority 2 (P2) - High. Partial payment processing outage affecting a subset of payment methods or merchant accounts; significant degradation in transaction success rates below the red KRI threshold; compliance system failure affecting transaction monitoring or sanctions screening continuity; settlement failure affecting a material volume of transactions. Target time to mitigate: 2 hours. Target time to resolve: 8 hours. Notification to relevant function head and operations team.
Priority 3 (P3) - Medium. Degraded performance affecting individual merchants or payment channels without systemic impact; non-critical system failures with available workarounds; reconciliation breaks below the red threshold. Target time to resolve: 24 hours. Managed through standard operations channels.
Priority 4 (P4) - Low. Minor operational issues, individual transaction failures, non-time-sensitive system defects. Target time to resolve: 72 hours. Managed through standard ticketing process.
Post-incident review. All P1 incidents and recurring P2 incidents require a formal post-incident review within five business days of resolution. The review produces a root cause analysis, a list of corrective actions with named owners and target dates, and an assessment of whether any KRI thresholds or control frameworks require amendment. Post-incident reviews for P1 events are reported to the Audit and Risk Committee.
Business Continuity and Disaster Recovery¶
Simpaisa operates an active-active disaster recovery architecture on AWS, with primary and secondary environments maintained in parallel across AWS regions. In the event of a primary region failure, traffic is automatically routed to the secondary environment with a Recovery Time Objective (RTO) of 15 minutes and a Recovery Point Objective (RPO) of zero for committed transactions. Annual DR exercises are conducted to validate these objectives.
Simpaisa's frontier-market operating environment introduces BCP scenarios that are materially different from those addressed in a standard technology BCP:
Power infrastructure failures. Pakistan, Iraq, and Nepal experience significant power grid instability, including multi-hour outages in major cities. Simpaisa's payment rails in these markets - the mobile network operator wallets and branchless banking agents - are themselves dependent on power availability. The BCP addresses this through: (a) maintaining redundant connectivity paths that do not depend on a single power infrastructure zone; (b) working with payment rail partners to understand their own backup power capabilities; and (c) building into client SLAs an explicit carve-out for force majeure outages attributable to national infrastructure failure, with defined communication protocols.
Civil unrest and political instability. Pakistan has experienced periods of civil unrest - including internet shutdowns and communications blackouts - that directly impact payment processing. Bangladesh underwent significant political transition in 2024. Iraq carries persistent conflict-related risk. The BCP addresses this through: (a) geographic distribution of operations teams so that a single-country communications blackout does not prevent incident response; (b) maintaining out-of-band communications channels for critical team coordination; and (c) pre-defined decision protocols for suspending operations in a specific market versus maintaining degraded service.
Telecoms and internet infrastructure failures. Internet connectivity in frontier markets is materially less reliable than in developed markets, and some markets (notably Nepal and parts of Iraq) are served by infrastructure with limited redundancy. Simpaisa uses Cloudflare deployed in-country as a connectivity and security layer, and maintains diverse connectivity paths where available. Mobile network operator wallet APIs - which are a critical dependency for pay-in and pay-out processing in Pakistan and Bangladesh - each have defined downtime notification protocols and failover routing logic within the payment engine.
Regulatory-mandated service suspension. Central banks in the group's operating markets have the power to direct payment service providers to suspend operations, restrict certain transaction types, or impose emergency settlement holds. This is not a hypothetical risk: the State Bank of Pakistan has exercised similar powers in the context of foreign exchange controls. The BCP defines the response protocol for a regulator-directed suspension, including merchant communication responsibilities, float protection measures, and the escalation path to legal and regulatory affairs.
Third-Party and Outsourcing Risk¶
Simpaisa's payment operations are critically dependent on a network of third-party payment rail partners - mobile network operators, branchless banking agents, banks, and payment system operators - across each of its markets. The failure, commercial disruption, or regulatory suspension of a key third-party partner represents a material operational risk.
Third-party risk is managed through the following controls: (a) a formal third-party onboarding and due diligence process that assesses financial stability, regulatory standing, operational resilience, and information security posture; (b) contractual minimum service level commitments from all tier-one partners; (c) diversification of payment rail coverage - no single payment method or partner should account for more than 40% of processed volume in any given market without a documented contingency plan; (d) ongoing monitoring of partner financial health, regulatory status, and operational performance; and (e) annual review of the third-party risk register by the Audit and Risk Committee.
AWS is treated as a critical infrastructure supplier. The risk of AWS service degradation is addressed through the active-active multi-region architecture and the DR programme. AWS's own BCP and SLA commitments are incorporated into Simpaisa's operational resilience assessment.
13.4 Financial Risk¶
FX Risk¶
Simpaisa processes payments in Pakistani rupees (PKR), Bangladeshi taka (BDT), Nepali rupees (NPR), and Iraqi dinar (IQD) - four frontier currencies that share characteristics materially different from the major currencies in which Simpaisa's corporate financial reporting and international settlements are predominantly conducted (USD, GBP, CAD).
PKR has experienced significant devaluation against the US dollar: from approximately PKR 150/USD in 2020 to over PKR 280/USD in 2024, with periodic sharp devaluations that have occurred over days rather than weeks, often prompted by IMF programme conditions or balance-of-payments pressures. BDT has been more stable historically but has faced increasing pressure following the 2024 political transition and the removal of the managed float that previously dampened volatility. NPR is pegged to INR, providing a degree of indirect stability, but NPR cannot be freely converted offshore and faces periodic liquidity constraints. IQD is formally pegged to USD but operates under a CBI-managed auction system for USD access, creating a parallel market and effective conversion costs that must be priced into the product.
FX risk management for each currency is structured as follows:
Minimising open positions. The core principle is that Simpaisa should not hold material unhedged positions in frontier currencies for longer than is required to complete the settlement cycle. Transaction pricing - the MDR or FX spread applied to each transaction - incorporates an FX risk premium calibrated to the historical volatility of the relevant currency pair over the settlement window. Settlement windows are kept as short as commercially negotiable with bank and MNO partners.
Pre-funding discipline. Pay-out operations require Simpaisa to hold float in local currency. Float levels are managed tightly: sufficient to meet 24-48 hours of projected disbursement volume, with daily review and top-up authorisation. Excess float represents an unhedged long position in a volatile currency and is avoided.
FX hedging. Formal FX hedging instruments (forwards, options) are available for PKR and BDT on a limited basis through correspondent bank relationships. The Global CFO and treasury function are responsible for assessing hedging cost versus benefit for material positions. IQD and NPR hedging markets are effectively non-existent; risk for these currencies is managed through pricing and settlement velocity rather than hedging instruments.
Escalation thresholds. FX risk exposures exceeding defined thresholds - expressed as USD equivalent of net open frontier-currency positions - trigger escalation to the Global CFO and, where relevant, to the Audit and Risk Committee.
Liquidity Risk and Float Management¶
Simpaisa's payment operations require the maintenance of pre-funded float in each operating market to enable real-time or near-real-time disbursement. Float management is the responsibility of the treasury function, operating under policies set by the Global CFO.
Float levels are sized based on rolling 30-day average daily disbursement volume, with a buffer calibrated to peak-day volume (typically the first and last days of the month in Pakistan, and the days immediately following salary payment cycles in each market). Ramadan creates a distinctive peak in remittance volumes - particularly in the final ten days - and float management is adjusted accordingly as part of the annual Ramadan operational plan (see Section 14.4).
Liquidity stress scenarios addressed in the treasury operating model include: (a) a sudden acceleration in outbound volume driven by a currency devaluation event, in which senders accelerate remittance to protect value for recipients; (b) a payment rail failure that delays inbound collections, creating a mismatch between settlement obligations and available float; and (c) a bank partner placing a temporary hold on Simpaisa's accounts pending KYC or compliance review, which has occurred in the industry and requires immediate escalation and alternative float sourcing.
Credit and Counterparty Risk¶
Simpaisa's primary credit and counterparty exposures arise from three sources: bank partners holding client and operational funds; MNO wallet operators with whom settlement cycles create credit exposure; and merchants where revenue share or deferred settlement arrangements create receivable balances.
Bank partner counterparty risk is managed through: (a) holding funds across multiple bank partners in each market rather than concentrating with a single institution; (b) monitoring bank partner credit ratings and regulatory standing on an ongoing basis; (c) maintaining the minimum float required for operational purposes in frontier-market bank accounts, with excess funds repatriated to group treasury as quickly as permitted by FX controls.
MNO wallet counterparty risk - the risk that an MNO fails to settle collected funds to Simpaisa - is managed through contractual protections, daily settlement reconciliation, and concentration limits per MNO.
Settlement Risk and Failed Transaction Exposure¶
Settlement risk arises from the lag between payment authorisation and final settlement of funds. In cross-border payment processing, this lag can extend to T+3 or longer depending on the payment rail, the currency, and the settlement cycle agreed with the partner. During this window, Simpaisa bears the risk of: partner default; regulatory intervention freezing the settlement; and FX movement that erodes the value of the settlement.
Failed transaction exposure refers to the cost and liability associated with transactions that are initiated and authorised but fail to complete - for example, a mobile wallet that accepts a top-up instruction from the customer but fails to credit the recipient's account. These events create both financial exposure (the need to refund the customer) and operational exposure (the investigation, escalation, and partner negotiation required to resolve the failure). Failed transaction rates, break resolution times, and refund processing timelines are monitored as KRIs and reported to the Audit and Risk Committee on a monthly basis.
13.5 Regulatory and Compliance Risk¶
Regulatory and compliance risk is the risk that Simpaisa fails to meet the requirements of applicable laws, regulations, licence conditions, or supervisory expectations, resulting in regulatory sanction, financial penalty, reputational damage, or loss of operating licence.
The regulatory landscape in which Simpaisa operates is unusually complex: nine entities, seven or more jurisdictions, regulators ranging from the State Bank of Pakistan to FINTRAC to the DFSA, and a product portfolio that spans traditional payments, remittances, crypto assets, and white-label financial services. Each new market entry and each new product adds to the regulatory perimeter.
Key regulatory and compliance risks for Simpaisa include:
Regulatory change risk. Central banks in frontier markets can and do change requirements - foreign exchange controls, transaction limits, KYC thresholds, reporting formats - with limited notice and limited consultative process. The Global Head of Regulatory Affairs maintains active relationships with each regulator and monitors regulatory pipeline changes. A 30-day horizon scan is presented to the Executive Leadership Team monthly.
Licensing risk. Simpaisa's operations in Iraq and Nepal are conducted under arrangements that depend on local partner structures rather than own licences. The risk that a local partner's licence is suspended, or that a regulator requires Simpaisa to hold its own licence within a defined timeframe, is a material near-term risk for these markets. The licence acquisition roadmap (Section 11.4) addresses this.
AML/CFT control failure. Simpaisa processes high volumes of cross-border transactions originating in remittance-sending markets where financial crime typologies - particularly value transfer linked to trade-based money laundering and, in Pakistan specifically, hawala networks - are well-documented by FATF. A failure in transaction monitoring, customer due diligence, or suspicious activity reporting could result in regulatory sanction, licence revocation, and reputational damage that would be existential for the business. The AML/CFT programme (Section 12.2) is the primary mitigant.
FATF grey-listing risk. Pakistan has been on the FATF grey list and may be subject to re-evaluation. Bangladesh has faced similar scrutiny. A country's presence on the FATF grey list creates heightened correspondent banking risk - the risk that correspondent bank partners apply enhanced due diligence or restrict access to USD clearing for entities operating in grey-listed jurisdictions. Simpaisa monitors FATF evaluations and maintains relationships with correspondent banks in Canada and the UK that have historically maintained access to FATF grey-list jurisdictions.
VASP regulatory risk. The regulatory framework for virtual asset service providers is evolving rapidly across all of Simpaisa's markets. The crypto off-ramp product creates VASP obligations in multiple jurisdictions. The FATF Travel Rule - which requires VASPs to share originator and beneficiary information for transactions above threshold - creates technical compliance obligations that are managed through the technology platform and documented in Section 8.5.4.
13.6 Geopolitical and Country Risk¶
Pakistan¶
Pakistan represents Simpaisa's largest market by volume and therefore its most significant country risk concentration. The key risks are:
Capital controls and foreign exchange restrictions. The State Bank of Pakistan has periodically imposed restrictions on FX remittances, USD purchases, and the repatriation of profits from Pakistan. These controls can be imposed rapidly in response to balance-of-payments pressures and create immediate operational challenges for Simpaisa's FX management and revenue repatriation. The risk is mitigated by maintaining diversified treasury infrastructure and by monitoring SBP guidance proactively through the Pakistan country team and the Global Head of Regulatory Affairs.
Political instability. Pakistan has experienced significant political turbulence in recent years, including changes of government, judicial interventions, and periods of civil unrest involving internet restrictions and communications blackouts. Political events of this nature directly impact payment processing - in particular mobile wallet operations that depend on mobile data connectivity. The BCP addresses the protocols for degraded-service operations during communications-restricted periods.
Currency devaluation. PKR has undergone repeated significant devaluations. Each devaluation event creates: (a) an immediate FX mark-to-market loss on any unhedged PKR float; (b) a surge in inbound remittance volume as diaspora senders seek to take advantage of the more favourable exchange rate; and (c) short-term liquidity pressure as the float required to meet elevated disbursement volume increases in USD terms. These dynamics are modelled in the treasury stress scenarios.
IMF programme conditionality. Pakistan's engagement with the IMF periodically results in policy conditions - including energy price increases, tax reforms, and exchange rate adjustments - that create macroeconomic volatility with direct payment-sector implications. Simpaisa monitors IMF programme milestones through its network of regulatory and banking relationships in Pakistan.
Bangladesh¶
Foreign exchange controls. Bangladesh Bank maintains a managed exchange rate regime and has imposed restrictions on USD purchases and profit repatriation during periods of external account pressure. The 2024 political transition - which resulted in a change of government - created a period of regulatory and commercial uncertainty that affected the payment sector broadly.
Political transition risk. Bangladesh's political transition in 2024 created uncertainty about regulatory priorities and personnel in Bangladesh Bank and the Bangladesh Financial Intelligence Unit. Simpaisa's Bangladesh country team, led by Sanjana Farid, maintained active engagement with regulatory counterparts throughout this period. The risk of further political disruption is assessed as moderate for the medium term.
aamarPay concentration. Simpaisa's Bangladesh operations are substantially delivered through aamarPay, in which Simpaisa holds a strategic equity stake. A deterioration in aamarPay's operating performance, regulatory standing, or financial health would have a material impact on Simpaisa's Bangladesh revenues. This risk is managed through the board representation that comes with the equity stake, through active operational involvement, and through the parallel Simpoysha BD entity structure that provides an alternative vehicle.
Nepal¶
Capital account restrictions. Nepal maintains restrictions on the capital account, including limits on outbound FX transfers and requirements for approval of certain foreign investments. These restrictions create complexity in structuring Simpaisa's investment in Pay Nest PVT LTD and in repatriating revenue from the Nepal corridor.
Minimum capital requirements. Nepal Rastra Bank requires PSP-licensed entities to maintain minimum capital at levels that have been increasing as NRB strengthens the regulatory framework. The risk that NRB increases minimum capital requirements faster than Pay Nest can build its own capital base is a medium-term risk requiring monitoring.
Earthquake risk. Nepal sits in a seismically active zone and has experienced major earthquakes with devastating infrastructure impact. The BCP for Nepal addresses the specific scenario of a major seismic event affecting Kathmandu - the country's financial and telecommunications centre - including protocols for extended service suspension and merchant communication.
Iraq¶
Sanctions adjacency. Iraq is not itself subject to comprehensive international sanctions, but it shares a border with Iran - which is under US, EU, and UN sanctions - and has domestic financial institutions with relationships in the Iranian financial system. Correspondent banks are acutely sensitive to any exposure involving Iraq, and several international banks have chosen to exit Iraq entirely rather than manage the enhanced due diligence burden. Simpaisa's Iraq operations require a heightened sanctions control framework, described in Section 12.3, including specific transaction monitoring rules and correspondent bank communication protocols.
Conflict and security risk. Parts of Iraq remain subject to active conflict and security risk, which creates both operational risk (key staff and partner locations may be affected) and commercial risk (payment volumes in affected areas are unpredictable). Simpaisa's Iraq operations are structured to concentrate operational activity in the relatively stable commercial zones of Baghdad and Erbil, with contingency protocols for escalation events.
Correspondent banking restrictions. USD clearing access for Iraqi counterparties is restricted by many US correspondent banks. Simpaisa's treasury and financial operations for Iraq are structured to minimise reliance on USD correspondent relationships involving Iraqi banks, using Simpaisa's Canadian or UK entities as the clearing hub where possible.
Saudi Arabia and MENA¶
Saudisation (Nitaqat) requirements. Saudi Arabia's Nitaqat programme mandates minimum quotas of Saudi national employees in businesses operating in the Kingdom. As Simpaisa builds its Saudi operation - initially in partnership mode, subsequently as a licensed entity - it must comply with Saudisation requirements at each stage. The human resources model for Saudi Arabia must incorporate Saudisation planning from the market entry stage.
Evolving fintech regulation. SAMA's fintech regulatory framework is relatively young and is developing rapidly. The regulatory requirements for payment institution licensing, crypto asset services, and open banking are each in active evolution. The Global Head of Regulatory Affairs maintains active monitoring of SAMA regulatory publications and engages with the Saudi Fintech and similar industry bodies to anticipate regulatory changes.
DFSA application risk. The DFSA Category 3D application for Simpaisa Technologies LTD represents a significant investment and a material regulatory risk: if the application is delayed, refused, or granted subject to conditions that are commercially unworkable, the DIFC-based MENA commercial hub strategy requires reassessment. The application is managed by the Global Head of Regulatory Affairs with legal support, and progress is reported to the board quarterly.
Central Asia¶
Regulatory uncertainty. The regulatory frameworks for payments and fintech in Kazakhstan and Uzbekistan are developing but lack the maturity and predictability of more established regulatory environments. Licensing requirements, capital requirements, and operational standards may change with limited notice as both countries develop their fintech sectors. Simpaisa's market entry approach for Central Asia incorporates a regulatory assessment phase - conducted before any material investment commitment - to establish the stability and predictability of the regulatory environment.
Correspondent banking. Access to USD correspondent banking for Kazakhstan and Uzbekistan entities is more constrained than for Western markets, and the correspondent banking landscape may change in response to geopolitical events (particularly those arising from the Russia-Ukraine conflict and associated sanctions). Simpaisa's treasury model for Central Asia must account for potential correspondent banking access constraints from the outset.
13.7 Fraud Risk by Product Line¶
Pay-Ins (Collections). The primary fraud typologies for pay-in products are: merchant impersonation (fraudulent entities registering as merchants and collecting funds they do not intend to deliver); social engineering and authorised push payment (APP) fraud at the consumer level; and account takeover attacks on merchant portal credentials. Mitigants include: KYB screening at onboarding (including beneficial ownership verification and source of funds assessment); real-time transaction velocity monitoring; anomaly detection on transaction size and frequency by merchant; and multi-factor authentication on merchant portal access.
Pay-Outs (Disbursements). The primary fraud typologies for pay-out products are: manipulation of disbursement files or API calls to divert payments to fraudulent accounts; compromise of corporate customer credentials used to submit disbursement instructions; and duplicate disbursement attacks. Mitigants include: dual-authorisation requirements for disbursement instructions above defined thresholds; cryptographic signing of disbursement API calls; and real-time duplicate detection across the payment processing engine.
Remittances. Remittance fraud typologies include: romance scam and advance fee fraud using Simpaisa's rails as the collection mechanism; money mule account usage to launder criminal proceeds through outbound remittances; and ID document fraud in the KYC process to enable fraudulent account creation. Mitigants include: behavioural monitoring for transaction patterns consistent with mule account usage; biometric KYC integration where local market ID infrastructure supports it; and cross-corridor transaction monitoring that identifies split transactions designed to avoid reporting thresholds.
Crypto Off-Ramp. The crypto off-ramp product presents specific fraud risks: crypto-native fraud (exit scams, rug pulls) involving USDT that is then off-ramped through Simpaisa; and the use of crypto rails to circumvent AML/CFT controls. Mitigants include: FATF Travel Rule compliance (originator and beneficiary information for transactions above threshold); blockchain analytics integration (Chainalysis or equivalent) to screen incoming USDT transactions for exposure to flagged wallets; and enhanced due diligence for high-volume off-ramp customers.
White-Label Wallets. The fraud risk for white-label wallets is primarily borne by the white-label client - who operates the consumer-facing product - but Simpaisa bears reputational and, potentially, regulatory risk if its infrastructure is used to facilitate fraud. Mitigants include: contractual requirements for white-label clients to maintain AML/CFT and fraud management programmes meeting Simpaisa's minimum standards; the right of audit and inspection; and termination provisions for clients who fail to meet these standards.
13.8 Technology and Cyber Risk¶
Simpaisa's technology and cyber risk profile reflects the company's position as a regulated financial services operator with a cloud-native infrastructure, a 24/7 payment processing requirement, and operations in jurisdictions that are of significant interest to financially motivated threat actors.
The primary technology and cyber risks are:
Payment system compromise. A successful attack on the payment processing engine, the disbursement engine, or the merchant portal could result in fraudulent transaction authorisation, misdirection of funds, or manipulation of settlement records. Mitigants include: network segmentation and zero-trust architecture within the AWS environment; application-layer security controls including input validation and injection attack prevention; WAF protection (Cloudflare and AWS WAF); and automated anomaly detection in transaction patterns.
Data exfiltration. Simpaisa holds significant volumes of personal and financial data - merchant KYB records, customer transaction data, KYC documentation - that are of value to threat actors and subject to data protection regulation across multiple jurisdictions. Mitigants include: data minimisation at the storage layer; encryption at rest and in transit; IAM controls limiting data access to the minimum required for each role; and the CISO-led DLP programme.
Third-party supply chain attacks. Simpaisa's technology stack incorporates a range of third-party software dependencies and cloud services. A supply chain attack - for example, a malicious update to a software dependency used in the payment engine - could introduce a vulnerability without any action by Simpaisa's own team. Mitigants include: Snyk dependency scanning integrated into the CI/CD pipeline; software composition analysis; and vendor security assessment as part of third-party onboarding.
Insider threat. As a payments business, Simpaisa has employees in privileged positions who could potentially misuse their access. Mitigants include: principle of least privilege in IAM; four-eyes controls on critical operations; monitoring of privileged access activity; and regular access reviews.
Denial of service. DDoS attacks targeting Simpaisa's payment APIs could disrupt merchant processing. Cloudflare's DDoS mitigation is the primary control, supplemented by AWS Shield and rate-limiting at the API gateway layer.
Technology and cyber risk governance is described further in Section 16 and in the ISMS documentation.
13.9 Risk Reporting and Governance¶
Risk register. A group-wide risk register is maintained by the Risk and Compliance function. The register is reviewed and updated quarterly, with ownership confirmed for each risk and control status assessed. The risk register is structured by risk category and sub-entity, enabling both group-level reporting and entity-specific reporting for regulatory purposes.
Management reporting. A monthly risk dashboard is prepared by the Risk and Compliance function and presented to the Executive Leadership Team. The dashboard covers: KRI performance against thresholds; incident count and classification by priority; material risk events in the reporting period; and status of open risk remediation actions.
Committee reporting. The Audit and Risk Committee receives a quarterly risk report, prepared by the Risk and Compliance function and reviewed by the relevant functional risk owners. The report includes: an updated risk heat map; material changes in risk ratings since the prior quarter; status of regulatory examinations and audit findings; and a forward-looking horizon scan of emerging risks.
Board reporting. The full board receives an annual ERM report summarising the group's risk profile, the Risk Appetite Statement and any proposed changes, material risk events in the year, and the risk management priorities for the coming year.
Regulatory risk reporting. Each entity maintains the regulatory reporting required by its local regulator. In Pakistan, this includes SBP compliance reporting through the UCAS and IRRS systems. In Canada, this includes FINTRAC reporting through F2R. The regulatory reporting calendar (Section 12.8) documents all mandatory reporting obligations across jurisdictions and frequency.
Section 14: Islamic Finance and Shariah Considerations¶
14.1 Shariah Compatibility Framework¶
Simpaisa Holdings is not an Islamic financial institution. Its products are not structured as Islamic financial products, and the company does not market itself on the basis of Shariah compliance. This distinction is important and deliberate: the regulatory, operational, and governance obligations that attach to Islamic FI status - including the requirement for a formal Shariah supervisory board, fatwas on product structures, and Shariah audit - are appropriate for Islamic banks and takaful operators, not for a payments aggregator.
However, Simpaisa operates in markets that are not only majority-Muslim but where Islamic finance principles shape consumer expectations, regulatory priorities, commercial norms, and political discourse. Pakistan, Bangladesh, Iraq, Saudi Arabia, Kazakhstan, and Uzbekistan together represent over 600 million people, the overwhelming majority of whom are Muslim, and a substantial proportion of whom will make financial decisions - including whether to use a payment service - through the lens of Islamic finance principles. Dismissing this context would be both culturally illiterate and commercially damaging.
The purpose of this section is therefore not to claim Shariah compliance - a determination that is the province of qualified Shariah scholars - but to document the framework through which Simpaisa: (a) ensures that its products and operations do not contain structures that are straightforwardly incompatible with Islamic finance principles; (b) screens its merchant and partner relationships for prohibited activities; (c) manages its Islamic-market regulatory obligations; and (d) operates with the cultural competency and sensitivity that its markets require.
Riba (interest). The prohibition of Riba - broadly, any predetermined increment on a loan or financial transaction - is the most fundamental principle of Islamic finance. For a payments aggregator, the primary Riba-related concern is the treatment of client float: if Simpaisa earns interest on float held in bank accounts, and if that interest is earned on funds attributable to clients or recipients, the interest element is potentially Riba-bearing.
Simpaisa's position is as follows. Merchant development reserve (MDR) and FX spread income - which constitute the overwhelming majority of Simpaisa's revenue - are fees for services rendered, not interest. They do not give rise to Riba concerns. Float income - interest earned on client funds held overnight in bank accounts - is a more nuanced matter. Where Simpaisa earns interest on client funds held in jurisdictions where interest-bearing bank accounts are the standard commercial product, this income is recognised but is not actively marketed as a revenue line. Simpaisa does not structure its product pricing or treasury operations to maximise float income from client funds. As the DFSA application progresses and as Saudi Arabia is entered, the treasury structure will be reviewed by the Shariah advisory arrangements described in Section 14.3 to confirm that float management does not inadvertently create Riba exposure that would be material in those markets.
Gharar (excessive uncertainty). Gharar refers to excessive uncertainty or ambiguity in a financial contract, which is prohibited under Shariah. For a payments aggregator, the risk of Gharar arises principally in FX transactions where the exchange rate is not fixed at the point of the transaction. Simpaisa's FX products - including remittance FX spreads - are structured to ensure that the rate is locked at the point of transaction initiation, and that the customer receives a clear and transparent statement of the rate applied before the transaction is confirmed. This transparency requirement aligns with both Gharar avoidance and with applicable consumer protection regulation in Simpaisa's operating markets.
Haram activities. The prohibition of Haram activities covers a defined set of activities that are forbidden under Islamic law, including the production or distribution of alcohol, pork-related products, pornography, conventional gambling, weapons of mass destruction, and certain other categories. The application of this principle to a payments aggregator operates primarily through the merchant onboarding and KYB process, described in Section 14.2.
14.2 Product Shariah Screening - Merchant Onboarding¶
Simpaisa's merchant base includes global technology companies (Google, Samsung, Temu, Tencent), gaming and entertainment platforms (Garena, InDrive), and financial services platforms (dLocal, Thunes, TerraPay, Muzz, Binance). The overwhelming majority of these merchants conduct activities that are Shariah-compatible.
However, as Simpaisa's merchant base grows - particularly with the addition of Saudi Arabia, where the regulatory and social environment around haram activities is subject to active enforcement - a structured merchant Shariah screening process becomes a material operational requirement.
Prohibited merchant categories. Simpaisa does not onboard merchants whose primary business activity falls within the following categories:
- Conventional gambling and betting (online casinos, sports betting platforms, lottery operators)
- Alcohol production, wholesale, or retail
- Adult content and pornography
- Pork and pork-derived product production or distribution
- Weapons, firearms, and ammunition (unless licensed defence contractors operating under applicable export control frameworks)
- Conventional interest-based lending marketed primarily to Muslim consumers (micro-lending products structured as Riba-bearing products, for example)
This list of prohibited categories is aligned with the policies of major Islamic-market regulators - including SAMA and the UAE's Emirates Authority for Standardisation - and is consistent with the approach taken by Islamic banks and financial institutions in determining permissible business relationships.
Integration with KYB. The merchant Shariah screening process is integrated into the standard KYB onboarding workflow. At the point of merchant onboarding, the Business Development team and Compliance team jointly complete a merchant categorisation that assigns the merchant to one of three categories: (a) Shariah-compatible - no issues identified; (b) Shariah-sensitive - the merchant operates in an industry that requires enhanced review before onboarding approval (for example, a gaming platform that includes elements of chance-based mechanics); or (c) Prohibited - the merchant's primary business activity falls within a prohibited category and the merchant cannot be onboarded.
For Shariah-sensitive merchants, the enhanced review considers: the proportion of the merchant's revenue derived from the sensitive activity; the specific products or services for which Simpaisa's payment processing is being used; and the market in which the payments will be processed. A gaming platform that uses Simpaisa solely for in-game item purchases (virtual currency, character upgrades) and explicitly excludes gambling mechanics is categorised differently from one that runs a chance-based game with monetary prizes. The enhanced review is documented and approved by the Head of Compliance or Global Head of Regulatory Affairs before onboarding proceeds.
Ongoing monitoring. Merchant Shariah categorisation is reviewed at the annual merchant review cycle and on a triggered basis if new information suggests a change in the merchant's business activities. A merchant that changes its business model to include prohibited activities after onboarding is subject to the same off-boarding process as a merchant that fails AML/CFT standards.
14.3 Shariah Advisory Arrangements¶
Simpaisa does not currently maintain a standing Shariah supervisory board or a retained Shariah advisory relationship. This reflects the company's current status as a conventional (non-Islamic) payments aggregator operating primarily under Pakistani and Bangladeshi regulatory frameworks, neither of which requires a Shariah advisory arrangement for a licensed payment aggregator.
However, as Simpaisa's expansion creates new regulatory and commercial contexts in which formal Shariah advisory engagement is either required or commercially advantageous, the following arrangements are anticipated:
DFSA application (UAE/DIFC). The DFSA does not require a Category 3D authorised firm to maintain a Shariah supervisory board unless the firm is offering Shariah-compliant products. However, if Simpaisa's UAE operations include any product or service that is marketed as Shariah-compliant - including any Islamic finance-adjacent product developed as part of the Zakat facilitation capability - a formal Shariah endorsement will be required. The DFSA's approach to Shariah matters for authorised firms is governed by its Shariah Supervision Module (SHB), which requires, for Shariah-compliant business, a Shariah Supervisory Board of at least three scholars with DFSA recognition.
Saudi Arabia (SAMA). SAMA's fintech regulatory framework and social context make Shariah advisory engagement a practical necessity for any fintech seeking to build credibility in the Saudi market, even where it is not a formal regulatory requirement. Simpaisa's Saudi market entry plan includes engagement with a recognised Shariah advisory firm - AAOIFI-certified scholars or members of SAMA's Shariah advisory panels - to review the product suite being offered in Saudi Arabia and to confirm compatibility with the applicable Shariah standards. The Accounting and Auditing Organisation for Islamic Financial Institutions (AAOIFI) standards - particularly AAOIFI Shariah Standard No. 1 (Trading in Currencies) - are the applicable reference framework for payment products offered in Islamic markets.
AAOIFI standards. AAOIFI's standards on currency trading (SS No. 1) establish that spot currency exchange is permissible (halal) provided that the exchange is concluded simultaneously (hand to hand) and that there is no element of deferred exchange that could create a Riba-bearing structure. Simpaisa's FX product structures - where the rate is locked at the point of transaction and settlement is completed within the standard payment processing window - are consistent with this standard. Formal AAOIFI review will be sought as part of the Saudi market entry preparation.
Engagement model. When Shariah advisory engagement is required, the Global Head of Regulatory Affairs will lead the selection and engagement of a Shariah advisory firm, in consultation with the CDO and Global CFO. Advisory relationships will be documented through a formal terms of engagement, specifying the scope of the advisory review, the deliverables (typically a written opinion or fatwa), the qualifications of the scholars involved, and the review and renewal cadence.
14.4 Islamic Market Sensitivity in Operations¶
Simpaisa's operational model must reflect the practical realities of operating in Islamic-majority markets. The considerations in this section are not compliance obligations; they are operational disciplines that are necessary to serve these markets effectively, to retain the trust of regulators and partners in those markets, and to demonstrate the cultural competency that differentiates Simpaisa from competitors who treat Islamic-market sensitivity as a footnote.
Prayer Time Considerations in SLAs and Customer Service¶
The five daily prayers (Salah) are observed by the vast majority of the population in Simpaisa's markets. In Pakistan, Bangladesh, and Iraq, prayer times are a structural part of the working day: businesses close or reduce activity during prayer times, and government offices, bank branches, and MNO customer service operations observe prayer breaks as a matter of practice.
Simpaisa's SLA commitments with merchants are designed to account for prayer-time service interruptions without treating those interruptions as SLA breaches. For markets where prayer breaks are standard, SLA clock calculations for customer service response and complaint resolution exclude the standard prayer break windows (typically 30 minutes per prayer, five times daily). Payment processing SLAs - which measure transaction success rates and processing times - are not paused for prayer times, as the automated payment engine operates continuously; however, human-assisted exception handling and customer service response times do incorporate prayer-time windows.
The operations team scheduling model - particularly for the customer service and partner support functions in Pakistan - incorporates prayer time scheduling as a standard element of shift planning, ensuring that cover is maintained across prayer times rather than having the entire team break simultaneously.
Ramadan Operational Adjustments¶
Ramadan is the most significant operational planning event in Simpaisa's Islamic-market calendar. The month of fasting - which typically runs for 29 or 30 days and falls at a different point in the Gregorian calendar each year, advancing approximately 11 days annually - creates distinct operational patterns that must be planned for each year.
Volume patterns. Ramadan produces elevated remittance volumes, particularly in the final ten days (the last third of Ramadan, including Laylat ul-Qadr) and in the days immediately preceding Eid ul-Fitr, when families in receiving markets require funds for Eid celebrations, clothing, and food. In Pakistan and Bangladesh, this surge can reach 2–3 times the normal daily volume during the peak Ramadan days. Float management, pre-funding levels, and operations team capacity are adjusted in advance of Ramadan each year.
Working hours. In Pakistan, Bangladesh, Iraq, and Saudi Arabia, official working hours are reduced during Ramadan - typically by two to three hours per day. Government offices, banks, and MNO customer service operations operate on shortened schedules. This affects the availability of counterpart teams for escalation, reconciliation, and exception handling during the month. Simpaisa's operations team adjusts its escalation protocols and expected response times from partners accordingly, and communicates any SLA modifications to merchants in advance of Ramadan.
Customer service staffing. The customer service team in Pakistan observes Ramadan working hours. Shift scheduling during Ramadan accounts for Iftar (breaking of the fast at sunset), Suhoor (the pre-dawn meal), and Taraweeh prayers (which may extend late into the night). Ramadan shift planning is conducted by HR and Operations at least six weeks before the start of Ramadan, and the Ramadan operational plan is approved by the Country Head Pakistan.
Eid ul-Fitr. The three days of Eid ul-Fitr at the end of Ramadan are public holidays in all of Simpaisa's primary markets. Payment processing continues on an automated basis, but customer service, settlement escalation, and partner reconciliation operate on a skeleton basis. Merchant communications confirming the Eid holiday operational posture are issued at least two weeks before the expected Eid date.
Ramadan 2026 preparation. Ramadan 2026 is expected to begin on approximately 17 February 2026. The operations and treasury teams should initiate Ramadan planning - including float pre-funding assessment, SLA communications, and staffing schedules - no later than 1 February 2026.
Friday Scheduling Considerations¶
Friday (Jumu'ah) is the day of congregational prayer in Islam and is a working day in Pakistan and Bangladesh, but is a weekend day in Saudi Arabia, the UAE, Iraq, and most of the Gulf. The GCC's shift from a Friday-Saturday weekend to a Saturday-Sunday weekend - adopted by the UAE and Saudi Arabia in recent years - has partially harmonised Friday scheduling with Western markets, but Friday still carries reduced business activity in all Simpaisa markets due to Jumu'ah prayer, which typically involves a two-hour midday break.
Simpaisa's board and executive meetings are scheduled to avoid Friday prayer time (approximately 12:00–14:00 local time in each market). Settlement cut-off times that fall on Fridays are adjusted where possible, and partner SLA escalations initiated on Fridays account for the reduced availability of counterpart teams.
Eid and Islamic Holiday Calendar Management¶
Simpaisa operates across five primary markets - Pakistan, Bangladesh, Nepal, Iraq, and UAE - each of which observes a different set of public holidays, including Islamic holidays that are determined by the lunar calendar. Islamic holidays do not fall on fixed Gregorian dates; they shift annually based on the sighting of the moon, which can also vary by one day between countries.
The Eid holidays - Eid ul-Fitr (end of Ramadan) and Eid ul-Adha (Festival of Sacrifice, 70 days after Eid ul-Fitr) - are observed as national public holidays in all of Simpaisa's Islamic-majority markets. Eid ul-Adha is additionally a significant operational period because it coincides with the Hajj pilgrimage, which generates significant payment flows (Hajj package payments, remittances from pilgrims and their families) and elevated demand for money transfer services.
The Group Operations calendar - published at the start of each calendar year - documents the Islamic holiday schedule for all markets, based on estimated lunar calendar calculations with confirmation issued as actual dates are determined. Merchant communications, partner SLA notifications, and operations team scheduling are based on this calendar. Where holiday dates vary between markets by one day (as commonly occurs with Eid sightings), the communication to merchants operating across multiple Simpaisa markets specifies the holiday date for each individual market.
Zakat Payment Facilitation¶
Zakat - the annual obligatory charitable payment required of Muslims who meet the minimum wealth threshold (nisab) - is one of the Five Pillars of Islam. Zakat is calculated as 2.5% of qualifying wealth held for one lunar year above the nisab threshold, and is payable during or after Ramadan in most traditions.
In Pakistan, Zakat collection is managed through the national Zakat and Ushr system, with mandatory deduction from bank accounts at the rate of 2.5% on savings balances above the nisab threshold. In other markets, Zakat is a voluntary act managed by individuals through charitable giving to approved recipients.
Simpaisa has identified Zakat payment facilitation as a potential product feature - specifically, the ability for users of Simpaisa-powered wallets and remittance products to calculate and direct Zakat payments to approved charitable organisations in their home markets through the Simpaisa platform. This feature would: (a) serve a genuine consumer need in markets where the logistics of Zakat payment can be complex; (b) generate fee income from the payment processing component; and (c) differentiate Simpaisa in the Saudi and Gulf markets, where Zakat management is a significant consumer finance activity.
The Zakat facilitation capability is at concept stage as at April 2026. Development will require: engagement with Zakat authorities in each target market to confirm the regulatory framework for facilitated Zakat payments; Shariah advisory review to confirm that the product structure is compatible with the applicable rules for Zakat disbursement; and product and technology development to build the calculation and routing functionality. The CDO and CPO are jointly responsible for progressing this feasibility assessment.
Cultural Competency in Multi-Market Team Management¶
Simpaisa's team spans Pakistan, Bangladesh, Nepal, Iraq, the UAE, Singapore, Canada, and the United Kingdom. The majority of the team are Muslim, and a significant proportion observe Islamic practice actively - including prayer times, the Ramadan fast, Eid celebrations, and the avoidance of interest-bearing financial products.
Cultural competency in managing this team is not a diversity and inclusion aspiration; it is an operational requirement. The following practices are embedded in Simpaisa's people management model:
Prayer facilities. All Simpaisa office locations are required to provide appropriate prayer facilities (a dedicated prayer room or quiet space) for observing Muslim employees. This is a standard provision in the UAE and Pakistan offices; the HR function is responsible for confirming equivalent provision in any new office location.
Dietary requirements. All Simpaisa-catered events - team meetings, client entertainment, external events - must accommodate halal dietary requirements as the default. The default catering standard for Simpaisa events is halal food unless a specific exception is approved by the relevant Country Head or the COO.
Ramadan working adjustments. Muslim employees who observe the Ramadan fast are accommodated through flexible working arrangements during Ramadan - including adjusted start and finish times, remote working flexibility, and discretion on break scheduling. These accommodations are managed at the team level, with HR providing guidance and the relevant functional head approving team-level Ramadan working plans.
Islamic holiday leave. The group leave policy provides for Eid ul-Fitr and Eid ul-Adha as group-wide public holidays across all entities, in addition to any locally mandated Eid holiday entitlement. Where an entity is located in a jurisdiction that does not treat Eid as a public holiday (Canada, UK, Singapore), Muslim employees are entitled to take Eid days as personal holiday leave without requiring it to be deducted from their annual leave entitlement.
Cross-cultural awareness. Non-Muslim employees - who are a significant proportion of the Nepal, Canada, UK, and Singapore teams - are provided with an Islamic calendar orientation during onboarding and are briefed annually on the operational significance of Ramadan, Eid, and the Islamic holiday calendar. This is not an exercise in religious instruction; it is a practical briefing on how the business operates during these periods and why certain operational adjustments are made.
End of Sections 1, 2, 13, and 14.
Document control
| Field | Detail |
|---|---|
| Document title | Simpaisa Group Operating Model - Sections 1, 2, 13, 14 |
| Version | 0.1 (Initial draft) |
| Date | April 2026 |
| Author | Chief Digital Officer |
| Status | Draft - pending executive review |
| Classification | Simpaisa Confidential |
| Next review | 30 June 2026 |