SIMPAISA GROUP - OPERATING MODEL¶
PART X: POLICIES, STANDARDS, AND PROCEDURES¶
Section 27: Policy Framework¶
27.1 Policy Hierarchy¶
Simpaisa Group operates a three-tier policy hierarchy designed to balance uniform group-wide standards with the operational and regulatory reality of a nine-entity business spanning seven jurisdictions, multiple regulatory regimes, and materially different market conditions. The hierarchy ensures that the most fundamental obligations - those arising from group governance, group-level regulatory commitments, and the board's risk appetite - are set centrally and cannot be diluted by entity-level decisions, while preserving the flexibility for local entities to adopt more stringent controls where their domestic regulator requires it.
Tier 1 - Group Policies are board-approved documents that apply to every legal entity, employee, contractor, and appointed representative within the Simpaisa Group without exception. They establish minimum standards that no entity may fall below. Tier 1 documents are owned by Group-level function heads (Group Chief Compliance Officer, Group CISO, Group CFO) and are approved by the Simpaisa Holdings PTE. Limited Board of Directors or a duly constituted board committee. They are reviewed at least annually and whenever a material regulatory change, significant incident, or structural group change occurs. Conflict between a Tier 1 policy and any lower-tier document is resolved in favour of the Tier 1 document; exceptions require written approval from the Group function head and, where material, from the relevant Board committee.
Tier 2 - Entity-Level Policies are jurisdiction-specific documents that implement Tier 1 requirements within the constraints of the applicable local regulatory framework. They are approved by the local entity's board of directors or, where no separate local board exists, by the relevant country management committee with sign-off from the Group function head. Tier 2 documents may impose requirements that are stricter than Tier 1 minimums (for example, where a local regulator mandates enhanced due diligence thresholds or specific record-keeping periods that exceed the group standard) but may never fall below them. Where a local legal requirement appears to conflict with a Tier 1 standard, the entity's compliance officer must escalate immediately to the Group Chief Compliance Officer; the conflict will be documented, legal advice obtained, and a resolution approved at Board level.
Tier 3 - Standard Operating Procedures (SOPs) are department-level documents that translate policies into step-by-step operational instructions. They are approved by the relevant function head (e.g., Head of Compliance Operations, Head of Technology, Head of Operations) and do not require board approval. SOPs must remain consistent with, and reference, the applicable Tier 1 and Tier 2 policies. Any employee may identify a need for a new or revised SOP; the request is raised with the function head who owns the relevant policy area. SOPs are reviewed at least annually and whenever the underlying policy is revised, a process change is implemented, or an audit finding identifies a gap.
Exception handling. Any individual or entity seeking an exception to a Tier 1 policy must submit a written exception request to the Group function head responsible for that policy, setting out the nature of the exception, the business or regulatory justification, the duration requested, and proposed compensating controls. Exceptions may not be approved for requirements that are legally mandated in any applicable jurisdiction. Approved exceptions are recorded in the Policy Exception Register maintained by the Group Chief Compliance Officer, reported to the relevant Board committee at the next scheduled meeting, and reviewed at least quarterly.
27.2 Policy Index and Ownership Matrix¶
The table below records all current and required policies across the Simpaisa Group. "Last Review" and "Next Review" dates for active policies reflect the most recent formal review cycle based on data room document dates. All dates are expressed as MM/YYYY. Policies marked "Required - To Be Drafted" are addressed in Section 27.4.
| # | Policy Name | Tier | Policy Owner | Approver | Applicable Entities | Last Review | Next Review | Status |
|---|---|---|---|---|---|---|---|---|
| 1 | Group Compliance Framework | 1 | Group CCO | Group Board | All entities | Q4 2024 | Q4 2025 | Active |
| 2 | Group Client Funds Safeguarding Policy | 1 | Group CFO | Group Board | All entities holding client money | Q4 2024 | Q4 2025 | Active |
| 3 | Group Sanctions Policy | 1 | Group CCO | Group Board | All entities | Q4 2024 | Q4 2025 | Active |
| 4 | Group Anti-Bribery and Corruption (ABC) Policy | 1 | Group CCO | Group Board | All entities | Q4 2024 | Q4 2025 | Active |
| 5 | Risk Assessment Policy | 1 | Group CRO / Group CCO | Group Board / Audit & Risk Committee | All entities | Q4 2024 | Q4 2025 | Active |
| 6 | AML/CFT/PF Policy - Singapore HoldCo | 2 | Group CCO | Singapore Board | Simpaisa Holdings PTE. Limited | Q4 2024 | Q4 2025 | Active |
| 7 | AML/CFT/PF Policy - Commerce Plex (Canada) | 2 | Commerce Plex CO | Commerce Plex Board / Group CCO | Commerce Plex Limited (UK/Canada) | Q4 2024 | Q4 2025 | Active |
| 8 | AML/CFT Policy - Simpaisa CA (Canada) | 2 | Simpaisa CA CO | Simpaisa CA Board / Group CCO | Simpaisa CA LTD | Q4 2024 | Q4 2025 | Active |
| 9 | AML/CFT/PF Policy - PublishEx (Pakistan) | 2 | PublishEx MLRO | PublishEx Board / Group CCO | PublishEx Solutions PVT Limited | Q4 2024 | Q4 2025 | Active |
| 10 | Anti-Fraud Policy - Commerce Plex (Canada) | 2 | Commerce Plex CO | Commerce Plex Board / Group CCO | Commerce Plex Limited | Q4 2024 | Q4 2025 | Active |
| 11 | Anti-Fraud Policy - Simpaisa CA (Canada) | 2 | Simpaisa CA CO | Simpaisa CA Board / Group CCO | Simpaisa CA LTD | Q4 2024 | Q4 2025 | Active |
| 12 | PublishEx Sanctions Policy | 2 | PublishEx MLRO | PublishEx Board / Group CCO | PublishEx Solutions PVT Limited | Q4 2024 | Q4 2025 | Active |
| 13 | Data Retention and Protection Policy | 1 | Group CISO / Group CCO | Group Board | All entities | Q4 2024 | Q4 2025 | Active |
| 14 | Security Architecture Document | 1 | Group CISO | Group Board / Tech & InfoSec Committee | All entities | Q4 2024 | Q4 2025 | Active |
| 15 | Operational Resilience Policy | 1 | Group COO / Group CISO | Group Board | All entities | - | Q2 2025 | Required - To Be Drafted |
| 16 | Outsourcing and Third-Party Management Policy | 1 | Group COO / Group CCO | Group Board | All entities | - | Q2 2025 | Required - To Be Drafted |
| 17 | Data Governance Policy | 1 | Group CISO / Group CCO | Group Board | All entities | - | Q3 2025 | Required - To Be Drafted |
| 18 | Conflicts of Interest Policy | 1 | Group CCO / Group General Counsel | Group Board | All entities; Board and ExCo members | - | Q2 2025 | Required - To Be Drafted |
| 19 | Whistleblowing Policy | 1 | Group CCO / Group General Counsel | Group Board | All entities | - | Q2 2025 | Required - To Be Drafted |
| 20 | Remuneration Policy | 1 | Group CFO / Group CHRO | Remuneration & Nomination Committee | All entities | - | Q3 2025 | Required - To Be Drafted |
| 21 | Fit and Proper Policy | 1 | Group CCO / Group CHRO | Group Board | All regulated entities; all approved persons | - | Q2 2025 | Required - To Be Drafted |
| 22 | Complaints Handling Policy | 1 | Group CCO / Group COO | Group Board | All customer-facing entities | - | Q2 2025 | Required - To Be Drafted |
| 23 | Code of Conduct and Ethics | 1 | Group CCO / Group General Counsel | Group Board | All entities; all personnel | - | Q2 2025 | Required - To Be Drafted |
27.3 Policy Development and Review Process¶
Stage 1 - Identification of Need¶
A need for a new or revised policy may be identified by any of the following: a change in applicable law or regulation (including guidance, enforcement actions, or regulatory expectations issued by FINTRAC, SBP, Bangladesh Bank, NRB, DFSA, MAS, FCA, or equivalent); a material finding from an internal audit, external audit, or regulatory examination; a significant operational incident, fraud event, or near-miss; an acquisition, new market entry, or new product launch that creates a previously uncovered risk area; a gap identified during the annual policy review cycle; or a request from an entity's board or management committee. The identification is documented in the Policy Development Log maintained by the Group Chief Compliance Officer.
Stage 2 - Mandate and Scoping¶
The relevant Group function head confirms whether the need requires a new policy, an amendment to an existing policy, or an additional SOP beneath an existing policy. A policy mandate note is prepared, setting out the proposed scope, the tier at which the document will sit, the proposed owner, the regulatory drivers, and the timeline for completion. For Tier 1 policies, the mandate note is presented to the relevant Board committee before drafting commences. For Tier 2 policies, it is approved by the Group function head with notification to the entity's governance body.
Stage 3 - Drafting¶
The policy owner drafts the document using the Group Policy Template, which includes the following mandatory sections: purpose and scope; definitions; policy requirements; roles and responsibilities; exceptions process; training and communication requirements; review schedule; and regulatory references. For entity-level policies, the drafter must include a mapping of how the document implements Tier 1 requirements and addresses local regulatory obligations. External legal counsel with expertise in the relevant jurisdiction should be engaged wherever the local regulatory environment introduces complexity that cannot be resolved through internal expertise alone.
Stage 4 - Legal Review¶
All Tier 1 policies and all Tier 2 policies for regulated entities must be reviewed by the Group General Counsel (or external legal counsel in the relevant jurisdiction) prior to compliance review. Legal review confirms that the policy does not conflict with applicable law, that obligations are accurately characterised, and that the document could withstand regulatory scrutiny. Legal review comments are addressed by the drafter before the document proceeds.
Stage 5 - Compliance Review¶
The Group Chief Compliance Officer (or, for entity-level policies, the local compliance officer with Group CCO sign-off) reviews the policy to ensure alignment with the Group Compliance Framework, consistency with other policies in the hierarchy, adequacy of controls, and completeness of regulatory coverage. The compliance review confirms that the policy meets FATF Recommendations, relevant FATF mutual evaluation standards for each applicable jurisdiction, and the specific requirements of each applicable regulator.
Stage 6 - Approval¶
Tier 1 policies are submitted to the Simpaisa Holdings Board of Directors or the relevant Board committee for formal approval. The submission includes the policy document, a summary of key changes (for revisions), the legal review sign-off, the compliance review sign-off, and a note on any exceptions granted during the drafting process. Tier 2 policies are approved by the entity's board or management committee (with evidence of Group CCO sign-off). Tier 3 SOPs are approved by the relevant function head. Approval is recorded in the board or committee minutes.
Stage 7 - Communication and Publication¶
Upon approval, the policy owner publishes the document to the Group policy repository (SharePoint/data room) within five business days. An all-staff communication is issued by the Group CCO for any Tier 1 policy. For Tier 2 and Tier 3 documents, entity-level management is responsible for distributing and communicating the policy to all affected staff within ten business days of approval. All policies carry a version number, effective date, and approval reference.
Stage 8 - Training¶
For all Tier 1 policies and for Tier 2 policies that introduce materially new obligations, the relevant function head and the Group Learning and Development function design and deliver training to all applicable staff within thirty calendar days of the policy effective date. Training completion is recorded by HR and is included in the Group's compliance training matrix. New joiners receive policy training as part of their onboarding programme, typically within their first two weeks of employment.
Stage 9 - Annual Review¶
Every policy in the Policy Index is subject to a formal review at least once every twelve months. The policy owner initiates the review no later than ninety days before the scheduled review date. The review confirms whether the policy remains current, accurate, and fit for purpose; whether any regulatory changes require amendments; and whether any audit findings, incidents, or operational experience suggest improvements. The review outcome is one of: (a) no change required - confirmed and re-dated; (b) minor amendments made - approved by function head; or (c) material revision - full development process repeated from Stage 3.
Stage 10 - Review Triggers¶
In addition to the annual review cycle, a policy review is triggered automatically by any of the following events: a change in applicable law or regulation in any jurisdiction where the policy applies; a material regulatory finding or enforcement action against the Group or a comparable payment institution; a significant operational incident or fraud event that exposes a policy gap; a new product launch, market entry, or acquisition that falls within the policy's scope; a change in the Group's risk appetite; or an instruction from the Board or a regulatory authority.
Stage 11 - Retirement¶
A policy is retired when its subject matter is permanently superseded by a replacement document, the relevant entity ceases operations, or the Group exits a product line to which the policy exclusively applied. Policy retirement requires the same approval as the original policy. Retired policies are archived in the data room with their retirement date and a cross-reference to any successor document. Records of retired policies are retained for a minimum of seven years.
27.4 Policy Gap Analysis and Roadmap¶
The following nine policies have been identified as required but not yet drafted as at the date of this Operating Model. Each is necessary either as a condition of the Group's DFSA Category 3D application, as a general requirement of one or more existing regulators, or as foundational governance infrastructure for a multi-jurisdictional regulated financial institution. The responsible owners listed are the Group-level function heads who will lead drafting; entity-level input will be required from compliance officers in each jurisdiction.
Policy 1 - Operational Resilience Policy¶
Regulatory Driver and Operational Need: The DFSA requires regulated firms to maintain an operational resilience framework that identifies important business services, sets impact tolerances, tests the ability to remain within those tolerances under severe but plausible disruption scenarios, and remediates any gaps. MAS and SBP also issue guidance on technology risk and business continuity that implicitly requires a formalised operational resilience framework. For Simpaisa, which operates payment infrastructure serving merchants and end-beneficiaries in frontier markets where local banking systems are fragile, the reputational and regulatory consequences of extended downtime are severe. The existing BCP/DR references in the operating model (Section 10.5) require a formal policy foundation.
Priority: Critical
Target Completion Date: 30 June 2025
Responsible Owner: Group COO, with input from Group CISO and Group CTO
Policy 2 - Outsourcing and Third-Party Management Policy¶
Regulatory Driver and Operational Need: The DFSA's Outsourcing Rules (COB Chapter 7 and GEN Chapter 2) require that Category 3D firms maintain a written outsourcing policy, conduct due diligence on material outsourcing arrangements, maintain intragroup and third-party contracts with minimum prescribed terms, and notify the DFSA of material outsourcing arrangements. Simpaisa's reliance on AWS (cloud infrastructure), Eastnets (sanctions screening), and a network of payment channel partners across Pakistan, Bangladesh, and Nepal means that third-party risk is one of the most significant operational risk vectors the Group faces. FINTRAC's guidance on agent relationships and SBP's agent banking framework also impose obligations on outsourcing governance that require a formal policy framework.
Priority: Critical
Target Completion Date: 30 June 2025
Responsible Owner: Group COO, with input from Group CCO and Group CISO
Policy 3 - Data Governance Policy¶
Regulatory Driver and Operational Need: Simpaisa processes personal data and transaction data across nine legal entities in seven jurisdictions. Data residency, cross-border transfer, and data localisation requirements vary materially: Pakistan's Prevention of Electronic Crimes Act (PECA) 2016 and SBP directives restrict the export of certain customer and financial data; Bangladesh's ICT Act 2006 and Bangladesh Bank guidelines impose data storage requirements; Singapore's Personal Data Protection Act (PDPA) governs transfers; the UAE's Federal Data Protection Law and DIFC Data Protection Law apply to the DIFC entity; UK GDPR applies to Commerce Plex; and Canada's PIPEDA/Bill C-27 framework applies to the Canadian MSBs. A Data Governance Policy is required to define data ownership, data classification, cross-border transfer rules, data quality standards, and the governance structures that ensure compliance with all applicable frameworks. This policy also provides the governance foundation for the existing Data Retention and Protection Policy.
Priority: High
Target Completion Date: 31 August 2025
Responsible Owner: Group CISO, with input from Group CCO and Group General Counsel
Policy 4 - Conflicts of Interest Policy¶
Regulatory Driver and Operational Need: The DFSA's General Module (GEN Rule 3.4) requires regulated firms to identify, manage, and disclose conflicts of interest. This applies at board level, executive level, and in the conduct of business. Simpaisa's board composition - with directors who have external business interests and relationships with potential partners and investors - and its cross-border business model create a range of actual and potential conflicts that must be managed systematically. The policy must address conflicts arising from: directors' external directorships; investment relationships between shareholders and counterparties; employee outside employment; gifts and hospitality (building on but distinct from the ABC Policy); and the allocation of business opportunities across the group's entities.
Priority: Critical (gating for DFSA application)
Target Completion Date: 30 June 2025
Responsible Owner: Group CCO / Group General Counsel, with Board Secretariat
Policy 5 - Whistleblowing Policy¶
Regulatory Driver and Operational Need: The DFSA requires regulated firms to maintain a whistleblowing framework that enables employees and others to report concerns about regulatory breaches, financial crime, and misconduct without fear of retaliation. This obligation exists in parallel under Canada's Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) regime, FINTRAC guidance, and good governance expectations in all of Simpaisa's operating jurisdictions. Beyond regulatory compliance, a genuine and accessible whistleblowing mechanism is a critical control in the Group's anti-fraud and anti-bribery programme: without it, the Group loses a primary source of intelligence about misconduct that may not surface through transaction monitoring or audit. The policy must provide meaningful protections against retaliation, establish confidential reporting channels, define the investigation process, and set out management obligations.
Priority: Critical
Target Completion Date: 30 June 2025
Responsible Owner: Group CCO / Group General Counsel, with Group CHRO
Policy 6 - Remuneration Policy¶
Regulatory Driver and Operational Need: The DFSA's Remuneration Requirements (applicable to Category 3D firms) require that a regulated firm's remuneration structure does not create incentives for excessive risk-taking, is consistent with effective risk management, and that the firm's Remuneration Committee (or equivalent governance body) approves arrangements for senior management and material risk-takers. As Simpaisa builds out its UAE entity, formalising the remuneration framework is a regulatory prerequisite. More broadly, as a scaled fintech with equity-based incentive arrangements across multiple jurisdictions, a Remuneration Policy is necessary to ensure consistency, fairness, and legal compliance across all entities. The policy must address fixed and variable remuneration, performance measurement criteria, deferral and clawback provisions, and governance oversight.
Priority: High
Target Completion Date: 31 August 2025
Responsible Owner: Group CFO / Group CHRO, approved by Remuneration and Nomination Committee
Policy 7 - Fit and Proper Policy¶
Regulatory Driver and Operational Need: Every jurisdiction in which Simpaisa operates imposes fit and proper requirements on directors, senior managers, MLROs, compliance officers, and other approved persons. The standards differ in detail but share a common framework: assessment of honesty and integrity (absence of criminal convictions, regulatory sanctions, and adverse financial history), competence and capability (relevant experience and qualifications), and financial soundness. SBP, Bangladesh Bank, NRB, DFSA, MAS, FINTRAC, and HMRC all maintain their own frameworks. A group-level Fit and Proper Policy is required to establish a consistent minimum standard for initial assessments, the maintenance of ongoing fitness, procedures for addressing changes in status, and record-keeping obligations. It must interface with the Recruitment and Onboarding process (Section 19.2), the Regulatory Affairs function (Section 5.3.10), and the HR employee lifecycle process.
Priority: Critical
Target Completion Date: 30 June 2025
Responsible Owner: Group CCO / Group CHRO, with Global Head of Regulatory Affairs
Policy 8 - Complaints Handling Policy¶
Regulatory Driver and Operational Need: The DFSA requires that regulated firms maintain a written complaints handling policy, acknowledge complaints promptly, investigate them thoroughly, and provide final responses within prescribed timeframes. FINTRAC guidance and the Canadian Consumer Protection regime impose comparable obligations on the Canadian MSBs. SBP's regulatory framework for payment service providers also addresses customer complaint handling. For a business processing cross-border payments and remittances in markets where beneficiaries have limited recourse and financial literacy may be lower, an effective complaints process is both a regulatory requirement and a critical tool for identifying fraud, processing errors, and systemic service failures. The policy must address the definition of a complaint, intake channels, acknowledgement and resolution timescales, escalation to regulators, root-cause analysis, and reporting to management.
Priority: High
Target Completion Date: 31 August 2025
Responsible Owner: Group CCO / Group COO
Policy 9 - Code of Conduct and Ethics¶
Regulatory Driver and Operational Need: A Code of Conduct and Ethics is a foundational governance document required by the DFSA (Principle 3 of the DFSA's Principles for Authorised Firms), expected by MAS and FINTRAC, and recognised as a hallmark of sound governance by international investors, external auditors, and correspondent banking partners. For Simpaisa, operating in frontier markets where corruption risk is elevated (Pakistan, Bangladesh, and Iraq all feature in the lower quartiles of Transparency International's Corruption Perceptions Index), a clear and accessible Code of Conduct is an essential component of the Group's anti-corruption and ethical culture framework. The Code must address: honesty and fairness in dealings; prohibition of corruption and facilitation of tax evasion; conflicts of interest; gifts and hospitality; use of company resources; social media and external communications; personal data handling; and consequences for breaches.
Priority: Critical
Target Completion Date: 30 June 2025
Responsible Owner: Group CCO / Group General Counsel, approved by Group Board
Section 28: Key Policies - Summaries and Cross-References¶
28.1 AML/CFT/CPF Policy Suite¶
Purpose: The AML/CFT/CPF Policy Suite establishes the Group's framework for identifying, assessing, and mitigating the risks of money laundering, terrorist financing, and proliferation financing across all products, channels, and jurisdictions in which Simpaisa operates. It implements FATF Recommendations 1, 10–21, and 29–33, and the specific statutory requirements of each applicable domestic AML/CFT regime.
Scope: The suite comprises four documents: (i) the Group-level AML/CFT/PF Policy (Singapore HoldCo), which sets minimum standards for the entire group; and (ii–iv) entity-level addenda for Commerce Plex (Canada), Simpaisa CA (Canada), and PublishEx (Pakistan), each of which implements domestic requirements that are stricter than or supplementary to the group standard. The suite covers all directors, employees, contractors, and agents of the Group, all products (pay-ins, pay-outs, remittances, crypto off-ramping), and all customer types (merchants, individual remitters, and recipient beneficiaries). It applies to Simpoysha BD, Soft Tech/aamarPay, Pay Nest, and Simpaisa Technologies through the Group-level document pending the drafting of entity-specific addenda.
Key Provisions: - Risk-based approach to customer due diligence (CDD), with standard, simplified, and enhanced due diligence tiers determined by customer risk classification (individual, corporate, PEP, high-risk jurisdiction, virtual asset counterparty) - Mandatory KYC/KYB at onboarding for all customers and business partners, including identity verification (documentary and/or electronic), beneficial ownership determination to the natural person level, and purpose-of-relationship assessment - Ongoing transaction monitoring using rule-based and behavioural analytics, with alert generation, investigation, and disposition protocols - Suspicious transaction/activity reporting (STR/SAR) obligations: timelines vary by jurisdiction (Canada: 30 days of grounds to suspect; Pakistan: immediately upon suspicion; Singapore: as soon as practicable) - FATF Travel Rule compliance for virtual asset transfers above the applicable threshold, with originator and beneficiary information collected and transmitted via supported VASP protocol - Record retention of CDD records for a minimum of five years (seven years in Pakistan and Canada) from the end of the customer relationship or completion of the transaction - Prohibition on tipping-off: staff are prohibited from disclosing to a customer or third party that a report has been or may be made - Annual AML/CFT risk assessment at group and entity level, with outputs feeding the Group ERM framework
Regulatory Basis: FATF 40 Recommendations; Canada PCMLTFA and PCMLTFR (FINTRAC); Pakistan Anti-Money Laundering Act 2010, Financial Monitoring Unit Act 2007, SBP AML/CFT guidelines; MAS Notice SFA04-N02; Bangladesh Money Prevention Act 2012 (Bangladesh Bank/BFIU); Nepal Asset (Money) Laundering Prevention Act 2008 (NRB/FIU); DFSA AML Module (applicable upon Cat 3D authorisation); FATF Mutual Evaluations for all relevant jurisdictions.
Cross-References: Group Compliance Framework (Section 27, Policy 1); Group Sanctions Policy (Section 28.2); Risk Assessment Policy (Section 28.6); Anti-Fraud Policy (Section 28.5); RASCI Matrix 7.8 (KYC/KYB); RASCI Matrix 7.9 (Sanctions Screening and Transaction Monitoring); Section 12.2 (Compliance Programme); Country Operating Models (Sections 20–25).
Owner and Review Cycle: Group Chief Compliance Officer (Tier 1 document); entity compliance officers (Tier 2 addenda). Annual review, with additional review triggered by FATF guidance updates, mutual evaluation outcomes, regulatory examinations, or material incidents.
28.2 Sanctions Policy¶
Purpose: The Group Sanctions Policy establishes Simpaisa's commitment to compliance with all applicable international sanctions regimes and sets out the controls, screening requirements, escalation procedures, and governance arrangements that ensure no transaction is processed for, or with, a sanctioned person, entity, vessel, or jurisdiction.
Scope: The Group Sanctions Policy applies to all entities, employees, contractors, and agents within the Simpaisa Group. The PublishEx Sanctions Policy (a Tier 2 document) supplements the group standard with SBP-specific requirements applicable to PublishEx Solutions PVT Limited. All payment flows - including pay-ins, pay-outs, remittances, and crypto off-ramp transactions - are subject to screening without exception. The policy applies to all counterparties in a payment chain: merchants, payers, payees, correspondent banks, payment channel partners, and underlying beneficiaries.
Key Provisions: - Mandatory screening of all transactions, customer onboarding events, and partner onboarding events against UN Security Council consolidated lists, OFAC SDN and non-SDN lists, UK HM Treasury consolidated list, EU sanctions lists, and any domestic list required by a local regulator (including SBP-specified lists) - Screening is conducted via the Eastnets sanctions screening platform, configured to match against all applicable lists with threshold settings approved by the Group CCO; the platform covers name screening, country screening, and payment message screening (SWIFT MT and ISO 20022) - A "block first, investigate second" approach: any potential match generates an automatic transaction hold pending investigation; staff do not process a transaction flagged as a potential match until the hit has been dispositioned in accordance with the Hit Escalation Procedure - False positive management: investigators use a structured disposition procedure with documented rationale; any true match is escalated immediately to the Group CCO and, where required, reported to the relevant competent authority (OFAC, OFSI, relevant domestic FIU) within statutory timeframes - Escalation matrix: the Group CCO is notified of any true match within one hour; where a transaction involves a designated person or a jurisdiction subject to comprehensive sanctions, the Group CEO is also notified; legal advice is obtained before any response is provided to the counterparty - Correspondent banking: all correspondent banking relationships and payment channel partnerships are subject to sanctions due diligence before onboarding and on an ongoing basis, including assessment of the counterparty's own sanctions programme - Prohibition on circumvention: staff are prohibited from structuring transactions or using alternative routing to avoid sanctions screening - Annual sanctions training for all staff in customer-facing, operations, compliance, and technology roles; completion tracked by HR
Regulatory Basis: UN Security Council Resolutions; OFAC (31 CFR Chapter V); UK Sanctions and Anti-Money Laundering Act 2018; EU Common Foreign and Security Policy; FATF Recommendation 6; Canada PCMLTFA sanctions provisions; SBP sanctions directives; MAS Notices on Terrorism Financing.
Cross-References: AML/CFT/CPF Policy Suite (Section 28.1); Anti-Fraud Policy (Section 28.5); RASCI Matrix 7.9 (Sanctions Screening and Transaction Monitoring); Section 12.3 (Sanctions Compliance); Section 23.4 (Iraq Sanctions Risk Management).
Owner and Review Cycle: Group Chief Compliance Officer. Annual review; immediate review upon any material sanctions regime change (designations, amendments to General Licences, new country sanctions), regulatory examination finding, or escalated true match.
28.3 Anti-Bribery and Corruption Policy¶
Purpose: The Group Anti-Bribery and Corruption (ABC) Policy establishes Simpaisa's zero-tolerance position towards all forms of bribery and corruption, whether involving public officials, private parties, or facilitation payments, and sets out the preventative controls, due diligence requirements, and reporting obligations that give effect to that commitment.
Scope: All directors, employees, contractors, consultants, and agents acting on behalf of any Simpaisa Group entity, in any jurisdiction. The policy applies to all forms of advantage - cash, gifts, hospitality, employment, charitable donations, and political contributions - given to or received from any third party. It is of particular operational significance in Pakistan, Bangladesh, Nepal, and Iraq, all of which present elevated corruption risk as assessed by Transparency International and FATF.
Key Provisions: - Absolute prohibition on offering, paying, accepting, or facilitating bribes, whether directly or through third parties, and including facilitation payments (small payments to expedite routine government services), which the Group does not treat as exempt - Gifts and hospitality must be bona fide, reasonable in value (limits: gifts up to SGD 50 equivalent; hospitality up to SGD 150 per occasion, subject to pre-approval above SGD 75), recorded in the Gifts and Hospitality Register, and must never be offered to a public official in a manner that could influence a decision - Pre-engagement due diligence on all third parties who interact with government officials on the Group's behalf, including agents, lobbyists, introducers, and joint venture partners; due diligence is proportionate to risk and includes screening against the Group's sanctions and PEP databases - All employees and relevant third parties receive ABC training at onboarding and annually thereafter; completion is tracked - Suspected breaches must be reported immediately through the Whistleblowing channel (once operative) or directly to the Group CCO; suspected breaches involving the Group CCO are escalated directly to the Chairman of the Board - Investigations are conducted by or under the supervision of the Group General Counsel, with findings reported to the Audit and Risk Committee - No employee will suffer retaliation for raising a genuine concern in good faith; confirmed ABC breaches may result in termination and referral to law enforcement
Regulatory Basis: UK Bribery Act 2010 (applies to Commerce Plex and to group-wide conduct connected to the UK); Canada Corruption of Foreign Public Officials Act; Singapore Prevention of Corruption Act; Pakistan Prevention of Corruption Act 1947 and National Accountability Bureau Ordinance 1999; FATF Recommendations 28 and 40; OECD Convention on Combating Bribery.
Cross-References: Group Compliance Framework; Code of Conduct and Ethics (Section 28.14); Conflicts of Interest Policy (Section 28.13); Whistleblowing Policy (Section 28.12); Third-Party Management Policy (Section 28.11).
Owner and Review Cycle: Group Chief Compliance Officer. Annual review; additional review triggered by any ABC investigation, regulatory development, or entry into a new jurisdiction with materially higher corruption risk.
28.4 Client Funds Safeguarding Policy¶
Purpose: The Group Client Funds Safeguarding Policy establishes the framework for identifying, segregating, protecting, and returning funds held on behalf of clients, ensuring that client money is not commingled with the Group's own funds and that it is protected in the event of the insolvency of any Group entity.
Scope: All Group entities that receive, hold, or transmit funds on behalf of customers or merchant counterparties. This includes collection floats held pending disbursement, remittance funds in transit, pre-funded settlement positions, and any e-money or wallet balances held by the Group on behalf of customers. The policy applies to the treasury function, the finance function, and the operations function across all entities.
Key Provisions: - Client funds must be held in dedicated segregated bank accounts, clearly designated as client money accounts in account titles and legal agreements, and never commingled with the Group's operational or own funds - Client money accounts must be held at regulated credit institutions with appropriate credit ratings; where a Group entity is required by its local regulator to hold client funds at a specific institution or in a specific form (e.g., SBP-approved bank, Bangladesh Bank-designated account), that requirement takes precedence - Daily reconciliation of the aggregate client money balance held in segregated accounts against the sum of individual client entitlements; reconciliation breaks must be investigated and resolved within one business day and escalated to the Group CFO if unresolved within two business days - Interest accruing on client money accounts is allocated in accordance with applicable law and the relevant client agreement; in jurisdictions where passing interest to clients is required, it must be done; in jurisdictions where it is prohibited (or where the Group operates on an Islamic-compatible basis), accrued interest is handled in accordance with specific regulatory guidance - In the event of any shortfall in the segregated account, the Group must fund the shortfall from its own resources immediately; shortfalls are reported to the Group CFO and Group CCO within one hour of discovery - Client money holdings are reported in the Group's management accounts and are subject to review by external auditors; regulated entities report client money positions to their local regulator in accordance with applicable requirements
Regulatory Basis: MAS Guidelines on Safeguarding; DFSA Client Money Rules (applicable upon Cat 3D authorisation); FINTRAC guidelines on client fund handling; SBP Payment System Regulations; FCA Client Assets Sourcebook (CASS) - applicable to UK entity Commerce Plex to the extent it holds client funds; Bangladesh Payment and Settlement Systems Regulations 2014.
Cross-References: AML/CFT/CPF Policy Suite (Section 28.1); Record Retention Policy (Section 28.16); Section 18.5 (Client Funds Segregation); Section 17 (Financial Management); RASCI Matrix 7.10 (Settlement and Reconciliation).
Owner and Review Cycle: Group Chief Financial Officer. Annual review; additional review triggered by any reconciliation failure, regulatory change, or audit finding.
28.5 Anti-Fraud Policy¶
Purpose: The Anti-Fraud Policy suite establishes the Group's framework for preventing, detecting, investigating, and responding to fraud, including internal fraud, external fraud, merchant fraud, and payment fraud affecting the Group's products and customers.
Scope: The suite currently comprises entity-level policies for Commerce Plex (Canada) and Simpaisa CA (Canada). These apply to all employees, merchants, and transaction activity of the respective entities. The Group will develop a Group-level Anti-Fraud Policy (Tier 1) to cover all entities, with the Canadian entity policies retained as Tier 2 documents. The policy covers all fraud typologies relevant to cross-border payments: authorised push payment (APP) fraud, identity fraud, account takeover, merchant fraud (false transactions, round-tripping), refund abuse, cyber-enabled fraud, and internal employee fraud.
Key Provisions: - Fraud risk assessment conducted annually and on new product or corridor launch, identifying fraud typologies by product, channel, and geography; highest-rated corridors (PK, BD, NP) are subject to enhanced controls - Fraud controls at the transaction level include: velocity checks (frequency, value, destination account), device fingerprinting, IP geolocation, behavioural biometrics, and real-time transaction scoring; controls are calibrated by the fraud team with input from Operations and Technology - Merchant onboarding includes fraud risk assessment; merchant activity is monitored on an ongoing basis for anomalous patterns (unusually high refund rates, transaction structuring, dormant-then-active patterns) - Fraud alerts are investigated by the fraud operations team within defined SLAs (critical alerts: within 30 minutes; high: within 4 hours); confirmed fraud is escalated to the Group CCO and, where involving financial loss above defined thresholds, to the Group CEO - Internal fraud controls include mandatory segregation of duties for payment processing, independent approval for manual overrides, surprise audits of high-risk functions (treasury, settlement), and background screening of employees in positions of trust - All confirmed fraud events are reported to the relevant regulatory authority (FINTRAC in Canada; FMU in Pakistan; BFIU in Bangladesh) where required, and to law enforcement where criminality is involved - Post-incident reviews are conducted for all fraud events exceeding a defined loss threshold; findings are fed back into fraud controls, transaction monitoring rules, and staff training
Regulatory Basis: Canada PCMLTFA (fraud-related obligations); FINTRAC operational guidance on fraud reporting; SBP fraud reporting requirements; Bangladesh Bank fraud circulars; FATF Recommendations on predicate offences; PCI DSS (fraud controls within card transaction processing).
Cross-References: AML/CFT/CPF Policy Suite (Section 28.1); Sanctions Policy (Section 28.2); Information Security Policy (Section 28.7); RASCI Matrix 7.11 (Incident Management); Section 13.7 (Fraud Risk).
Owner and Review Cycle: Entity compliance officers (Commerce Plex, Simpaisa CA) for existing Tier 2 documents; Group CCO for the forthcoming Tier 1 Group Anti-Fraud Policy. Annual review; additional review following any material fraud event or new product/corridor launch.
28.6 Risk Assessment Policy¶
Purpose: The Risk Assessment Policy establishes the Group's methodology and governance framework for identifying, assessing, rating, treating, and monitoring risks across all business lines, entities, and functions, consistent with an enterprise risk management approach aligned to the Group's risk appetite.
Scope: Applies to all entities and all risk categories within the Simpaisa ERM Framework: financial crime risk (ML/TF/PF), operational risk, financial risk, technology and cyber risk, regulatory and compliance risk, geopolitical and country risk, and strategic risk. It covers risks at the Group level and at the level of each individual entity, product line, and material third-party relationship.
Key Provisions: - Risk assessments are conducted using a standardised methodology: inherent risk scoring (likelihood × impact on a defined scale), control effectiveness assessment, and residual risk scoring; residual risk is compared to the Group's risk appetite thresholds - Financial crime risk assessments (AML/CFT/PF) are conducted at least annually at group level and entity level, and on every new product or corridor launch; they address customer risk, product and service risk, channel risk, and geographic risk - Risk registers are maintained by each function head and consolidated into a Group Risk Register by the CRO; the Register is reviewed by the Audit and Risk Committee quarterly - Risk appetite is expressed as a set of quantitative and qualitative thresholds approved by the Board; business activities that would cause residual risk to exceed appetite require Board approval - New products, corridors, and entity acquisitions are subject to a formal risk assessment before launch or completion; the risk assessment is a prerequisite for the Board's approval of the initiative - Third-party risk assessments are conducted for all material vendors and payment channel partners at onboarding and annually thereafter; findings feed the Third-Party Management Policy (Section 28.11) and the relevant due diligence register - Emerging and horizon risks are reviewed quarterly by the ERM function and presented to the Audit and Risk Committee; geopolitical risk in frontier market jurisdictions (Pakistan, Bangladesh, Nepal, Iraq) is reviewed monthly given the pace of regulatory and political change
Regulatory Basis: FATF Recommendation 1 (risk-based approach); MAS Guidelines on Risk Management Practices; SBP Risk Management Guidelines; DFSA GEN Module (applicable to UAE entity); ISO 31000:2018 (Risk Management standard); COSO ERM Framework.
Cross-References: Group Compliance Framework; AML/CFT/CPF Policy Suite (Section 28.1); Operational Resilience Policy (Section 28.9); Outsourcing and Third-Party Management Policy (Section 28.11); Section 13 (Enterprise Risk Management).
Owner and Review Cycle: Group Chief Risk Officer / Group Chief Compliance Officer (joint ownership). Annual review; additional review triggered by a new risk category being identified, material change in risk appetite, regulatory examination, or material incident.
28.7 Information Security Policy (ISO 27001)¶
Purpose: The Information Security Policy establishes the Group's Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2022, setting the framework of controls, governance, and continual improvement obligations that protect the confidentiality, integrity, and availability of information assets across the Group.
Scope: All information assets owned, processed, transmitted, or stored by any Simpaisa Group entity, including payment transaction data, customer personal data, system configurations, intellectual property, source code, and sensitive business information. The scope covers all Group personnel, contractors, and third-party service providers with access to Group systems or data, and encompasses all technology infrastructure (AWS cloud, on-premises servers, endpoints, mobile devices, network components) and all software platforms operated by the Group.
Key Provisions: - The ISMS operates under the governance of the Group CISO, with oversight from the Technology and Information Security Board Committee; the ISMS scope, policy, and objectives are reviewed and approved annually by the Board Committee - Information assets are classified under a four-tier scheme (Public, Internal, Confidential, Restricted) with associated handling requirements; all payment transaction data and personal data are classified as Restricted as a minimum - Risk assessments are conducted in accordance with ISO 27001 Annex A; the Statement of Applicability is maintained and reviewed annually; control gaps are tracked in the risk treatment plan - Access to information assets is governed by the principle of least privilege; access provisioning and de-provisioning are controlled through defined workflows with mandatory management approval; privileged access is subject to enhanced controls and quarterly review - Security incident management follows a defined lifecycle: detection (via the 24/7 NOC/SOC using Datadog, CloudWatch, and CyGlass), triage, containment, eradication, recovery, and post-incident review; major incidents are escalated to the Group CISO within 30 minutes and to the Board within 24 hours - Penetration testing is conducted by an independent third party at least annually against all critical systems; critical and high findings must be remediated within 30 days; all findings are tracked in the vulnerability management register - Security awareness training is mandatory for all staff at onboarding and annually thereafter; phishing simulation exercises are conducted quarterly
Regulatory Basis: ISO/IEC 27001:2022; PCI DSS v4.0 (where applicable to cardholder data environments); MAS Technology Risk Management Guidelines; DFSA General Module (technology risk); SBP Cyber Security Policy for PSPs; Bangladesh Bank ICT Security Guidelines; Nepal Rastra Bank Payment System Directives.
Cross-References: Data Protection and Privacy Policy (Section 28.8); Acceptable Use and IT Security Policy (Section 28.10); Outsourcing and Third-Party Management Policy (Section 28.11); Operational Resilience Policy (Section 28.9); Section 16 (Information Security and Cyber Resilience); Security Architecture Document.
Owner and Review Cycle: Group CISO. Annual review aligned to the ISO 27001 surveillance audit cycle; additional review following any material security incident, significant audit finding, or material change to the technology architecture.
28.8 Data Protection and Privacy Policy¶
Purpose: The Data Protection and Privacy Policy establishes the Group's obligations and controls for the lawful, fair, and transparent processing of personal data across all jurisdictions in which it operates, ensuring compliance with applicable data protection laws and protecting the privacy rights of customers, employees, and other data subjects.
Scope: All personal data processed by any Simpaisa Group entity in any capacity - whether as data controller, data processor, or joint controller - including customer KYC/KYB data, transaction data, employee data, and data relating to business contacts and counterparties. Applies to all processing activities regardless of whether data is held in digital or physical form, on Group systems or by third-party processors.
Key Provisions: - Personal data is processed only on a lawful basis; for customers, the primary bases are contractual necessity, legal obligation (AML/CFT record-keeping), and legitimate interests; for employees, contractual necessity and legal obligation apply to most processing - Cross-border data transfers are subject to jurisdiction-specific rules: transfers from Singapore follow PDPA adequacy and contractual safeguards; transfers from the UK follow UK GDPR Chapter V mechanisms (adequacy decisions, standard contractual clauses); Pakistan PECA and SBP guidelines require certain customer and transaction data to be stored locally within Pakistan; Bangladesh Bank guidelines impose data residency requirements on financial transaction data; UAE Federal Law No. 45 of 2021 governs transfers to third countries - Data subjects' rights (access, rectification, erasure, restriction, objection, portability) are supported by defined request-handling procedures; responses are issued within statutory timescales (30 days under UK GDPR; variable under other regimes) - Privacy-by-design principles apply to all new product development, system changes, and third-party integrations; a Data Protection Impact Assessment (DPIA) is required for any processing that is likely to result in high risk to data subjects - Personal data is retained only for as long as necessary for the purposes for which it was collected and for statutory retention periods (minimum five years for AML/CFT records; seven years in Canada and Pakistan; specific retention periods apply to other categories); deletion is carried out securely and documented - Data breaches are investigated and, where required, reported to the relevant supervisory authority within statutory timeframes (72 hours under UK GDPR; as required under applicable domestic law in other jurisdictions); affected data subjects are notified where required
Regulatory Basis: Singapore PDPA 2012 (as amended); UK GDPR and Data Protection Act 2018; Canada PIPEDA and applicable provincial privacy legislation; Pakistan PECA 2016 and SBP data directives; Bangladesh ICT Act 2006 and Bangladesh Bank guidelines; Nepal Privacy Act 2018; UAE Federal Decree-Law No. 45 of 2021; DIFC Data Protection Law 2020 (applicable to UAE DIFC entity).
Cross-References: Data Retention and Protection Policy (existing Tier 1, Policy 13); Data Governance Policy (Section 27.4, Policy 3 - to be drafted); Information Security Policy (Section 28.7); Record Retention Policy (Section 28.16); Section 16.7 (Data Protection by Jurisdiction).
Owner and Review Cycle: Group CISO / Group Chief Compliance Officer (joint ownership). Annual review; additional review triggered by any data breach notification, regulatory change, new market entry, or DPIA finding.
28.9 Business Continuity and Disaster Recovery Policy¶
[Note: This policy is identified as required in Section 27.4 (Operational Resilience Policy) and should be drafted as part of or alongside that initiative. The summary below describes what the policy should contain upon drafting.]
Purpose: The Business Continuity and Disaster Recovery Policy establishes the Group's approach to maintaining the continuity of critical payment operations and IT systems during and following disruptive events, including technology failures, cyberattacks, natural disasters, civil unrest, and third-party outages, with the objective of meeting the Group's stated 99.9%+ uptime target and regulatory recovery time obligations.
Scope: All Group entities, all critical business services (payment processing, settlement, sanctions screening, customer onboarding, regulatory reporting), all supporting technology infrastructure (AWS cloud environment, Eastnets platform, partner APIs), and all third-party services that underpin critical operations.
Key Provisions: - Business Impact Analysis (BIA) is conducted annually to identify critical business services and define Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for each; payment transaction processing has a target RTO of four hours and RPO of zero data loss; settlement has a target RTO of eight hours - Business Continuity Plans (BCPs) and Disaster Recovery Plans (DRPs) are maintained for each critical service; plans are reviewed annually and tested through tabletop exercises (at least annually) and live failover tests (at least biannually for payment processing) - IT disaster recovery leverages AWS multi-region architecture; primary workloads run in the primary AWS region with automated failover to a designated secondary region; recovery procedures are documented and tested - The Operational Resilience framework (to be formalised in the companion Operational Resilience Policy) defines important business services, sets impact tolerances, and requires the Group to demonstrate the ability to remain within those tolerances under severe but plausible scenarios - Frontier market operations (Pakistan, Bangladesh, Nepal, Iraq) have specific BCP addenda addressing local risks: extended power outages, banking system disruption, civil unrest, and telecommunications failures; these plans include manual workaround procedures and arrangements with local banking partners - Business continuity incidents are managed through the Incident Management procedure (RASCI Matrix 7.11); major outages (affecting customer-facing services for more than 30 minutes) are escalated to the Group COO and Group CISO within 15 minutes; regulatory notification is made in accordance with applicable requirements (DFSA: immediate notification of material operational incidents; SBP: within 24 hours; FINTRAC: as required)
Regulatory Basis: DFSA Operational Risk Module; MAS Technology Risk Management Guidelines (BCP provisions); SBP Circulars on Disaster Recovery; Bangladesh Bank ICT Security Guidelines (BCP requirements); ISO 22301:2019 (Business Continuity Management); ISO/IEC 27001 (Annex A.17 - Information Security Aspects of BCM).
Cross-References: Information Security Policy (Section 28.7); Outsourcing and Third-Party Management Policy (Section 28.11); Acceptable Use and IT Security Policy (Section 28.10); Section 10.5 (Operational Resilience); Section 16.9 (Incident Response Plan); RASCI Matrix 7.11.
Owner and Review Cycle: Group COO / Group CISO (joint ownership). Annual review with biannual DR test; additional review following any material outage, cyberattack, or regulatory notification.
28.10 Acceptable Use and IT Security Policy¶
[Note: This policy should be formalised and added to the Policy Index as a Tier 1 document, drawing on the existing Security Architecture document and ISMS.]
Purpose: The Acceptable Use and IT Security Policy defines the standards of acceptable behaviour for all personnel accessing Simpaisa's information systems, networks, and devices, establishing the baseline controls necessary to protect the Group's technology environment from internal and external threats.
Scope: All employees, contractors, consultants, and third-party users who access any Simpaisa Group system, network, or device, regardless of their location or the ownership of the device used. Covers all Group-owned and personal devices used to access Group systems (BYOD), all cloud services, internal applications, collaboration tools, and communication platforms.
Key Provisions: - Acceptable use: systems and devices may be used only for legitimate business purposes; personal use is permitted only where it does not compromise security, productivity, or the Group's legal obligations; access to prohibited content categories (gambling, adult content, hate speech, malware sites) is blocked at the network level and prohibited by policy - Password and authentication standards: all accounts accessing Group systems must use strong passwords or passphrases meeting minimum complexity requirements; privileged accounts, remote access, and cloud console access require multi-factor authentication (MFA) without exception - Endpoint security: all Group-managed devices must have approved endpoint protection software installed and current; automatic screen lock activates after a defined idle period; encryption of device storage is mandatory for all portable devices and laptops - Remote access: remote connectivity to Group systems must be via approved VPN or zero-trust network access solution; users must not connect to public Wi-Fi networks without VPN active; split tunnelling is not permitted for corporate traffic - Software and application management: users may not install unauthorised software; all software must be procured through the approved procurement process and licensed appropriately; shadow IT is prohibited; approved cloud services are defined in the Group IT Asset Register - Incident reporting: users must report suspected security incidents, lost or stolen devices, phishing attempts, or unusual system behaviour to the IT Help Desk and SOC immediately; failure to report is a disciplinary offence
Regulatory Basis: ISO/IEC 27001:2022 (Annex A - People controls, Physical controls, Technological controls); PCI DSS v4.0; MAS TRM Guidelines; SBP Cyber Security Policy.
Cross-References: Information Security Policy (Section 28.7); Data Protection and Privacy Policy (Section 28.8); Code of Conduct and Ethics (Section 28.14); Section 16 (Information Security and Cyber Resilience).
Owner and Review Cycle: Group CISO. Annual review; additional review following any material security incident related to user behaviour or endpoint compromise.
28.11 Outsourcing and Third-Party Management Policy¶
[Note: This policy is identified as required in Section 27.4. The summary below describes what it should contain upon drafting.]
Purpose: The Outsourcing and Third-Party Management Policy establishes the framework for identifying, approving, managing, monitoring, and exiting outsourcing arrangements and third-party relationships, ensuring that the Group retains accountability for all outsourced functions, manages associated risks, and meets regulatory obligations in each jurisdiction.
Scope: All arrangements in which a Simpaisa Group entity relies on a third party to perform a function or deliver a service that the entity would otherwise perform itself, including cloud infrastructure services (AWS), sanctions screening (Eastnets), payment channel partnerships (mobile network operators, banks, PSPs), professional services providers (legal, audit), and any intragroup service arrangements. The policy applies to all entities and covers both material outsourcing arrangements (as defined by the relevant regulator) and non-material third-party dependencies.
Key Provisions: - Third-party risk classification: all third parties are classified by criticality (Critical, High, Medium, Low) based on the nature of the service, data access granted, substitutability, and regulatory classification of the arrangement as material or non-material outsourcing; Critical and High classifications trigger enhanced due diligence and ongoing monitoring obligations - Pre-engagement due diligence: before engaging any Critical or High-rated third party, the relevant function head must complete a due diligence assessment covering financial stability, regulatory status, information security posture (where relevant), AML/CFT controls (for payment channel partners), and sanctions screening; findings are documented and approved by the Group COO and Group CCO (for financial crime-relevant third parties) - Contractual requirements: all outsourcing contracts with Critical and High-rated parties must include minimum terms mandated by the Group (and by applicable regulators where they prescribe specific contract requirements): right to audit, right to terminate for cause, data security obligations, incident notification, regulatory access rights, sub-contracting restrictions, and exit and transition provisions - DFSA-specific requirements: outsourcing arrangements for the UAE entity that fall within the DFSA's definition of material outsourcing must be notified to the DFSA before implementation; DFSA notification templates and the outsourcing register will be maintained by the UAE entity's compliance officer with Group CCO oversight - Ongoing monitoring: Critical and High-rated third parties are subject to annual performance and risk reviews; payment channel partners are monitored on an ongoing basis through transaction data analysis, SLA reporting, and periodic relationship management meetings; adverse events (regulatory actions against the third party, security incidents, financial distress) trigger an immediate reassessment - Exit planning: for all Critical third-party relationships, an exit plan must be in place and tested before the arrangement becomes live; exit plans are reviewed annually and upon any material change to the third party's structure or capability; the Group must be able to demonstrate to its regulators the ability to exit any material outsourcing arrangement without unacceptable disruption
Regulatory Basis: DFSA Outsourcing Rules (GEN Chapter 2, COB Chapter 7); MAS Guidelines on Outsourcing; SBP Technology Service Provider guidelines; FINTRAC Agent of the Crown provisions; EBA Guidelines on Outsourcing Arrangements (relevant to Commerce Plex as a UK-registered entity); ISO 27001 (supply chain security controls).
Cross-References: Risk Assessment Policy (Section 28.6); Information Security Policy (Section 28.7); Operational Resilience Policy (Section 28.9); Anti-Bribery and Corruption Policy (Section 28.3); Section 13.3 (Operational Risk - Third-Party Risk); RASCI Matrix 7.15 (Vendor and Partner Onboarding).
Owner and Review Cycle: Group COO / Group CCO (joint ownership). Annual review; additional review following any material third-party incident, regulatory change, or onboarding of a new Critical-rated third party.
28.12 Whistleblowing Policy¶
[Note: This policy is identified as required in Section 27.4. The summary below describes what it should contain upon drafting.]
Purpose: The Whistleblowing Policy establishes a safe, accessible, and confidential mechanism through which employees, contractors, and other stakeholders can report concerns about suspected misconduct, regulatory breaches, financial crime, or ethical violations, and provides meaningful protection against retaliation for those who raise concerns in good faith.
Scope: All employees, contractors, consultants, and directors of any Simpaisa Group entity. The policy encourages disclosures from any person, including non-employees (customers, suppliers, members of the public), who have a legitimate concern about the Group's conduct. It covers concerns relating to financial crime (including suspected money laundering, sanctions evasion, fraud, and bribery), regulatory breaches, health and safety, data protection violations, financial misreporting, and serious ethical misconduct.
Key Provisions: - Multiple reporting channels are provided: a dedicated confidential email address managed by the Group General Counsel; a secure web-based reporting platform accessible via any device; and direct reporting to the Chairman of the Audit and Risk Committee (for concerns involving senior management or the Group CCO); anonymous reporting is supported and accepted, though reporters are encouraged to identify themselves to facilitate investigation - All disclosures are treated as strictly confidential; the identity of the reporter is not disclosed to any person without the reporter's consent, except where required by law or by a regulatory authority - A substantive acknowledgement is issued within five business days of receipt; the reporter (where identified) is kept informed of progress at reasonable intervals and receives a final outcome notification within 60 days of the initial report - Investigations are conducted by or under the supervision of the Group General Counsel (for concerns not involving the General Counsel) or the Chairman of the Audit and Risk Committee (for concerns involving senior management or the General Counsel); investigations are conducted fairly, promptly, and with due regard to the rights of the subject - Retaliation against any person who raises a concern in good faith is a serious disciplinary offence that may result in dismissal; the Group CHRO monitors for signs of retaliation and the Audit and Risk Committee receives a quarterly summary of disclosures and investigation outcomes - All disclosures, regardless of the outcome of investigation, are recorded in the Whistleblowing Register maintained by the Group General Counsel; the Register is reviewed quarterly by the Audit and Risk Committee; patterns of disclosure are used to inform the risk assessment programme
Regulatory Basis: DFSA Whistleblower Protection Rules; UK Public Interest Disclosure Act 1998 (applies to Commerce Plex employees); Canada Criminal Code and PCMLTFA whistleblower provisions; Singapore Companies Act (whistleblower provisions); Pakistan Protection of Whistleblowers Act (to the extent applicable); FATF Recommendation 33 (regulation and supervision feedback); Transparency International best practice.
Cross-References: Code of Conduct and Ethics (Section 28.14); Anti-Bribery and Corruption Policy (Section 28.3); AML/CFT/CPF Policy Suite (Section 28.1); Conflicts of Interest Policy (Section 28.13); Section 4.2.1 (Audit and Risk Committee).
Owner and Review Cycle: Group CCO / Group General Counsel (joint ownership). Annual review; additional review following any substantiated disclosure, regulatory guidance change, or introduction of operations in a new jurisdiction.
28.13 Conflicts of Interest Policy¶
[Note: This policy is identified as required in Section 27.4. The summary below describes what it should contain upon drafting.]
Purpose: The Conflicts of Interest Policy establishes the framework for identifying, managing, mitigating, and where necessary disclosing conflicts of interest affecting directors, senior managers, and employees of the Simpaisa Group, ensuring that the Group acts in the best interests of its customers and in accordance with its regulatory obligations.
Scope: All directors and board committee members of any Group entity, all members of the Executive Leadership Team, all employees, and any contractors or agents who owe fiduciary or regulatory duties to the Group or its customers. The policy covers all situations where a personal, financial, or professional interest (actual, potential, or perceived) could improperly influence, or be seen to influence, a business decision, an advisory relationship, or the conduct of business with customers.
Key Provisions: - All directors and ExCo members must complete an annual Conflicts of Interest Declaration, disclosing all external directorships, significant shareholdings, financial interests, and personal relationships that could give rise to a conflict with the Group's activities; declarations are reviewed by the Group General Counsel and, for directors, by the Board Secretariat - A Conflicts Register is maintained by the Group General Counsel; conflicts identified through declarations or ad hoc disclosure are logged, assessed, and assigned a management action (avoidance, disclosure, management through information barriers, or recusal) - Directors must recuse themselves from any board discussion or vote in which they have a material personal interest; the recusal is recorded in the minutes; where a director's conflict is pervasive, the Board may determine that the director should step down from the relevant committee or from the board entirely - Business allocation: where transactions or business opportunities could benefit a related party (a director's external business interest, an entity in which a shareholder has a stake), the allocation decision must be made on arms-length commercial terms, documented, and approved by a disinterested majority of the relevant governance body - Gifts and hospitality received from third parties that could influence business decisions must be disclosed on the Gifts and Hospitality Register and are subject to the ABC Policy thresholds; undisclosed receipt of benefits is a disciplinary offence - Employee conflicts arising from outside employment, personal relationships with counterparties, or financial interests in competitors or customers must be disclosed to the employee's line manager and the Group CCO; management actions include recusal from relevant decisions or, in serious cases, requiring the employee to divest the interest or terminate the outside employment
Regulatory Basis: DFSA GEN Module Rule 3.4 (Conflicts of Interest); MAS Corporate Governance Guidelines; UK Companies Act 2006 (directors' duties); Singapore Companies Act; SBP Fit and Proper Criteria (conflict-related provisions); OECD Principles of Corporate Governance.
Cross-References: Code of Conduct and Ethics (Section 28.14); Anti-Bribery and Corruption Policy (Section 28.3); Fit and Proper Policy (Section 27.4, Policy 7); Section 4 (Board and Executive Governance); Section 4.4 (Delegation of Authority Matrix).
Owner and Review Cycle: Group CCO / Group General Counsel (joint ownership). Annual review aligned to the annual declarations cycle; additional review triggered by any material conflict event, board composition change, or new regulatory guidance.
28.14 Code of Conduct and Ethics¶
[Note: This policy is identified as required in Section 27.4. The summary below describes what it should contain upon drafting.]
Purpose: The Code of Conduct and Ethics sets out the behavioural standards and ethical principles that govern how all Simpaisa Group personnel conduct themselves in their professional roles, establishing a shared culture of integrity, accountability, and respect that underpins the Group's regulatory relationships, commercial reputation, and social licence to operate.
Scope: All directors, employees, contractors, and appointed representatives of any Simpaisa Group entity, regardless of location, seniority, or employment type. Third parties acting on the Group's behalf (agents, introducers, joint venture partners) are required by their contractual terms to adhere to standards consistent with this Code.
Key Provisions: - Integrity and honesty: all personnel must act honestly and with integrity at all times; they must not misrepresent the Group's products, capabilities, or regulatory status to customers, partners, regulators, or the public; internal records and reporting must be accurate and complete - Prohibition of corruption and bribery: personnel must comply with the Group ABC Policy and must not offer, give, receive, or solicit any bribe or improper advantage; this applies to all dealings with public officials, commercial counterparties, and any other persons - Conflicts of interest: personnel must identify and disclose conflicts in accordance with the Conflicts of Interest Policy; they must not allow personal interests to influence professional judgement; personal trading in financial instruments that could be affected by the Group's activities is restricted and subject to pre-clearance requirements - Gifts and hospitality: may be given or accepted only within the limits prescribed by the ABC Policy; cash gifts in any amount are prohibited; all material gifts and hospitality are recorded in the Gifts and Hospitality Register - Use of company resources: Group assets, systems, and information are used for legitimate business purposes; personnel must protect confidential information and not disclose it to unauthorised persons; use of Group systems to access, store, or distribute prohibited content is a disciplinary offence - Social media and external communications: personnel must not make unauthorised public statements about the Group, its products, its regulatory status, or its performance; external media enquiries must be referred to the Marketing function; social media use must not expose the Group to regulatory, reputational, or legal risk - Respect and inclusion: the Group is committed to a workplace free from harassment, discrimination, and bullying; all personnel are treated with dignity and respect regardless of nationality, gender, religion, age, or any other characteristic - Consequences: breaches of the Code are subject to disciplinary action, up to and including summary dismissal; criminal conduct is reported to law enforcement; regulatory misconduct is reported to the relevant authority
Regulatory Basis: DFSA Principle 2 (Conduct of Business); DFSA GEN Module Rule 3.4; MAS Guidelines on Fair Dealing; UK Bribery Act 2010; Canada Corruption of Foreign Public Officials Act; employment law requirements in all operating jurisdictions; Transparency International Business Principles for Countering Bribery.
Cross-References: Anti-Bribery and Corruption Policy (Section 28.3); Conflicts of Interest Policy (Section 28.13); Whistleblowing Policy (Section 28.12); Acceptable Use and IT Security Policy (Section 28.10); Data Protection and Privacy Policy (Section 28.8); HR Policies (Section 19).
Owner and Review Cycle: Group CCO / Group General Counsel (joint ownership), approved by the full Board. Annual review; additional review following any significant conduct matter, regulatory finding, or material cultural change event (e.g., acquisition, major new market entry).
28.15 Complaints Handling Policy¶
[Note: This policy is identified as required in Section 27.4. The summary below describes what it should contain upon drafting.]
Purpose: The Complaints Handling Policy establishes the standards and procedures for receiving, acknowledging, investigating, and resolving complaints from customers, merchants, and other affected parties, ensuring fair and timely redress and providing the Group with systematic intelligence on service quality, fraud, and compliance failures.
Scope: All customer-facing Group entities across all products and channels: pay-ins (merchants and payers), pay-outs (merchants and beneficiaries), remittances (remitters and beneficiaries), and any white-label wallet customers. The policy applies to complaints received via any channel (in-app, email, phone, in person, social media, or via a regulator or third-party representative). It covers complaints from individual consumers and from business customers and merchants.
Key Provisions: - A "complaint" is defined broadly as any expression of dissatisfaction - whether or not the customer uses the word "complaint" - relating to a product, service, transaction, person, or the outcome of a previous enquiry; the Group resolves borderline cases in favour of treating the communication as a complaint - All complaints are logged in the central Complaints Register on the day of receipt, assigned a unique reference number, and acknowledged to the complainant within two business days (one business day for DFSA-regulated customers upon Cat 3D authorisation) - Target resolution timescales: simple complaints within five business days; complex complaints within 30 calendar days (DFSA: final response within 30 days; FINTRAC: in accordance with Canadian consumer protection requirements; SBP: within seven working days for payment-related complaints); where resolution is not possible within the target period, an interim response is issued explaining the reason for the delay and the expected resolution date - Investigation standards: complaints are investigated impartially by a person not involved in the events giving rise to the complaint; where the complaint involves a potential regulatory breach, financial crime indication, or fraud, it is escalated simultaneously to the Group CCO; the investigation conclusion and rationale are documented in the Complaints Register - Remediation: where a complaint is upheld, the Group takes appropriate remediation action including, where applicable, financial redress (transaction reversal, fee refund, compensation for demonstrable loss), process correction, and communication to the complainant of the steps taken to prevent recurrence - Regulatory escalation: customers who remain dissatisfied after the Group's final response are advised of their right to escalate to the relevant external dispute resolution body (DFSA's Investor Relations and Disputes team for UAE customers; FINTRAC/federal financial consumer agency for Canadian customers; applicable domestic ombudsman or regulator in other jurisdictions) - Root cause analysis and reporting: complaints data is analysed monthly by the Group CCO to identify patterns, systemic issues, and emerging risks; a quarterly complaints summary (volumes, categories, resolution rates, average resolution times, root causes, and remediation actions) is reported to the Executive Leadership Team and the Audit and Risk Committee
Regulatory Basis: DFSA Complaints Handling Rules (COB Module, Chapter 12); FINTRAC and Canadian consumer protection requirements; SBP Consumer Protection Framework for Payment Systems; Bangladesh Bank Consumer Protection Guidelines; MAS Guidelines on Fair Dealing (complaints handling provisions).
Cross-References: AML/CFT/CPF Policy Suite (Section 28.1) - complaints may reveal fraud or financial crime; Anti-Fraud Policy (Section 28.5); Code of Conduct and Ethics (Section 28.14); Section 9.3 (Account Management and Partner Success); RASCI Matrix 7.11 (Incident Management).
Owner and Review Cycle: Group CCO / Group COO (joint ownership). Annual review; additional review following any material regulatory finding on complaints handling, significant volume increase, or new market entry that introduces a new regulatory complaints framework.
28.16 Record Retention Policy¶
Purpose: The Record Retention Policy (incorporated within the Group's Data Retention and Protection Policy) establishes the minimum periods for which different categories of business record must be retained, the standards for secure storage during the retention period, and the procedures for controlled and documented destruction at the end of the retention period.
Scope: All records created or received by any Simpaisa Group entity in the course of its business activities, including customer records, transaction records, compliance records (KYC/KYB, CDD, SAR, sanctions screening), financial records, regulatory correspondence, contracts, board and committee minutes, and HR records. Applies to records in all formats: electronic, paper, audio/visual.
Key Provisions: - Minimum retention periods by record category are set at the longest applicable period across all jurisdictions in which a record is used; where a specific jurisdiction imposes a longer period, the longer period applies to records originating in or primarily relevant to that jurisdiction: - Customer identity and CDD records: minimum five years from end of customer relationship (seven years: Canada under PCMLTFA; Pakistan under AML Act 2010; seven years from transaction date in Bangladesh) - Transaction records: minimum five years from transaction date (seven years in Canada and Pakistan) - SAR/STR records: minimum seven years from the date of submission - Sanctions screening records (hit dispositions, false positive records): minimum five years - Board and committee minutes: minimum ten years - Financial and accounting records: minimum seven years (IFRS, applicable company law) - Contracts (commercial, employment, data processing agreements): minimum ten years from expiry - Security incident records: minimum five years - HR records (employment): minimum seven years from termination of employment - All records must be stored securely, with access restricted to persons with a legitimate business need; records containing personal data are stored in accordance with the Data Protection and Privacy Policy - Electronic records are stored on Group-approved systems (SharePoint, AWS S3 with appropriate access controls and versioning); paper records are stored in secure, access-controlled physical locations; both formats are subject to backup and disaster recovery procedures - No record may be destroyed before the end of its applicable retention period without the written approval of the Group General Counsel; destruction is carried out securely (cross-cut shredding for paper; certified deletion for electronic records) and documented in the Destruction Register - A legal hold procedure is activated upon commencement of any litigation, regulatory investigation, or anticipated enforcement action; legal holds suspend all destruction of relevant records until the hold is lifted by the Group General Counsel - Annual audit of record retention compliance is conducted by the Internal Audit function; findings are reported to the Audit and Risk Committee
Regulatory Basis: Canada PCMLTFA s.6 (seven-year retention); Pakistan AML Act 2010 and SBP AML/CFT guidelines (seven years); Bangladesh Money Laundering Prevention Act 2012 (five years minimum); Singapore PDPA retention provisions; DFSA record-keeping rules; HMRC record-keeping requirements (UK); ISO 15489 (Records Management standard); FATF Recommendation 11 (record-keeping).
Cross-References: Data Retention and Protection Policy (existing Tier 1, Policy 13); Data Protection and Privacy Policy (Section 28.8); AML/CFT/CPF Policy Suite (Section 28.1); Section 12.2.5 (Record Keeping and Data Retention); Section 17.5 (Statutory and Regulatory Financial Reporting).
Owner and Review Cycle: Group CISO / Group CCO (joint ownership). Annual review; additional review triggered by a change in applicable statutory retention periods in any jurisdiction, a new market entry, or a legal hold event.
End of Part X - Policies, Standards, and Procedures
Document Control: This section forms part of the Simpaisa Group Operating Model v0.1. Owner: Chief Digital Officer. Next scheduled review: April 2027 or upon material regulatory change, whichever is sooner.