Skip to content

Simpaisa Group - Crisis, Insurance and Succession Documents

Classification: Confidential - Board and Executive Leadership Only Prepared by: Office of the CDO Date: April 2026 Version: 1.0

Document 1: Crisis Management and Communications Plan

1. Purpose and Scope

This Crisis Management and Communications Plan ("the Plan") establishes the framework by which Simpaisa Group ("Simpaisa") identifies, escalates, manages, and communicates during crisis events. It applies to all nine group entities, all operating jurisdictions (UAE, Pakistan, Bangladesh, Nepal, Iraq, Canada, United Kingdom), and all 180 employees globally.

The Plan is owned by the Chief Digital Officer (CDO) and reviewed annually by the Crisis Management Team (CMT). It sits alongside, and does not replace, Simpaisa's existing Business Continuity Plan (BCP), Incident Response Plan (IRP), and Disaster Recovery Plan (DRP).

2. Crisis Classification Framework

All incidents are assessed against four tiers. The initial classification is made by the first senior leader notified. The CMT may upgrade or downgrade classification as additional information becomes available. When in doubt, classify upward.

Tier 1 - CRITICAL

Activation of the full CMT is mandatory. War room is convened within one hour.

Trigger Examples
Payment system outage exceeding four (4) hours Core processing platform unavailable; settlement rails down
Data breach involving confirmed customer personal or financial data Exfiltration of KYC records, payment card data, account credentials
Regulatory licence suspension or revocation in any jurisdiction DFSA, SBP, Bangladesh Bank, FINTRAC enforcement action
Fraud event exceeding USD 100,000 Internal fraud, synthetic identity fraud, payment fraud at scale

Default response posture: Suspend affected services if risk of further harm exists. Notify regulators within prescribed timelines. Engage external legal counsel and forensic providers immediately.

Tier 2 - SEVERE

CMT convened within two hours. Subset of members may manage depending on nature of event.

Trigger Examples
Single-country service outage exceeding two (2) hours Pay-in rails unavailable in Pakistan; remittance processing down in Bangladesh
Critical third-party / operator failure Payment processor insolvency, correspondent bank suspension, telco partner outage
Cyber incident contained but under investigation Malware detected and isolated; unauthorised access attempt under forensic review
Regulatory investigation opened Regulatory enquiry letter received; on-site examination commenced

Tier 3 - SIGNIFICANT

Managed by relevant functional head with CDO and COO informed. CMT briefed at next scheduled meeting unless escalation is warranted.

Trigger Examples
Degraded service performance Transaction success rate below SLA threshold; increased latency
Material partner or merchant dispute Contract dispute threatening significant revenue; public disagreement
Negative media coverage Adverse press coverage, social media campaign, reputational risk event
Employee misconduct allegation Allegation of fraud, harassment, data misuse by employee

Tier 4 - MINOR

Managed within the relevant team. Escalated to Tier 3 if unresolved within 24 hours or if situation worsens.

Trigger Examples
Localised technical fault Single-corridor processing delay; isolated API error
Customer complaint spike Volume increase above 150% of daily average without systemic cause
Minor system fault Non-critical service degradation; cosmetic or reporting errors

3. Crisis Governance

3.1 Crisis Management Team (CMT)

The CMT is the decision-making body during Tier 1 and Tier 2 crises.

Role Member Tier 1 Tier 2
Chair CEO - Yassir Pasha Mandatory Mandatory
Deputy Chair / Operations COO - Kamil Shaikh Mandatory Mandatory
Technology, Product and Security CDO - Daniel O'Reilly Mandatory Mandatory
Finance and Treasury CFO - Mohammad Mustafa Mandatory As required
Legal and Compliance Head of Legal (TBC) Mandatory Mandatory
Regulatory and AML Global Head Regulatory / MLRO - Shoukat Bizinjo Mandatory As required
Communications Brand Manager (TBC) Mandatory As required
Country Representative Relevant Country Head As required As required

The Board Chairman (Nadeem Hussain) is to be notified by the CEO within four hours of a Tier 1 classification. The full Board is informed within 24 hours.

The CMT may co-opt additional members (CISO Danish Hamid, CTO Saqlain Raza, CRO Shahroze Khan) as the nature of the crisis requires.

3.2 War Room Activation

A "war room" is a dedicated, continuous command structure for managing a Tier 1 or declared Tier 2 crisis. It is distinct from a standard incident call.

Activation criteria: - Automatic for all Tier 1 classifications - At CEO or CDO discretion for Tier 2 classifications

War Room Process:

  1. The first senior leader to identify a potential Tier 1 event activates the CMT via the Crisis Notification Channel (Microsoft Teams: #crisis-cmt or WhatsApp CMT group as backup).
  2. CMT convenes on the designated video bridge within 30 minutes of notification.
  3. CDO assumes Incident Commander role until CEO joins.
  4. A Crisis Log is opened immediately in the designated secure shared drive. All decisions, actions, and communications are time-stamped and recorded.
  5. Status updates are issued to the CMT every 30 minutes until the crisis is downgraded or resolved.
  6. The war room remains active until the CEO formally declares the crisis resolved or downgraded.

Physical war room: Where a physical presence is required, the Dubai (DIFC) boardroom is the primary location. The Pakistan Karachi office is the secondary location.

3.3 Decision Authority During Crisis

Decision Tier 1 Authority Tier 2 Authority Tier 3 Authority
Suspend payment services (single corridor) CEO or COO or CDO COO or CDO COO
Suspend payment services (all corridors) CEO only CEO only N/A
Issue public statement CEO (approved by Chair) CEO Head of Legal + CDO
Notify regulators MLRO + CEO MLRO MLRO
Engage external legal counsel CEO or Head of Legal Head of Legal Head of Legal
Engage forensic / cyber incident response firm CEO or CDO CDO or CISO CISO
Activate BCP / DRP CEO or CDO CDO or CTO CTO
Authorise emergency expenditure (up to USD 100K) CFO CFO CFO
Authorise emergency expenditure (above USD 100K) CEO + CFO CEO + CFO N/A
Approve customer communications CDO + CEO CDO Relevant functional head
Approve media communications CEO + Chair CEO CEO

3.4 Escalation Matrix by Crisis Tier

Tier First Notified Notified Within CMT Convened Board Notified
Tier 1 - CRITICAL CMT via crisis channel Immediate Within 1 hour Within 4 hours
Tier 2 - SEVERE CEO + CDO + COO 30 minutes Within 2 hours Within 24 hours
Tier 3 - SIGNIFICANT CDO + COO 2 hours Not required (briefed) Not required (noted)
Tier 4 - MINOR Relevant functional head 4 hours Not required Not required

4. Communication Protocols

4.1 Internal Staff Notification

All internal communications during a crisis are the responsibility of the CDO, working with the Brand Manager and People function.

Tier Timeline Channel Content
Tier 1 Within 30 minutes of classification All-staff email + Slack/Teams announcement Nature of incident, impact, what staff should / should not do, single point of contact
Tier 2 Within 2 hours of classification Email to affected teams + managers briefed Nature of incident, operational impact, instructions
Tier 3 Within same business day Manager cascade Context and operational guidance
Tier 4 As required Line manager Operational guidance only

Staff must not discuss any crisis event on personal social media or with the press. Any media enquiry is directed immediately to the Brand Manager.

4.2 Regulatory Notification Timelines

Regulatory notification is the joint responsibility of the MLRO (Shoukat Bizinjo) and the relevant Country Head. Notification timelines are non-negotiable and must be treated as hard deadlines.

Regulator Jurisdiction Event Type Notification Deadline Method
Dubai Financial Services Authority (DFSA) UAE / DIFC Material operational incident, data breach, fraud 24 hours of becoming aware Written notification to DFSA Supervision; telephone for Tier 1 events
Monetary Authority of Singapore (MAS) Singapore (HoldCo) Major operational disruption, cyber incident 1 hour of becoming aware (initial); full report within 14 days MAS Technology Risk Reporting (TRR) portal
State Bank of Pakistan (SBP) Pakistan System outage, fraud, AML breach 4 hours of becoming aware SBP reporting portal + email to assigned supervisor
Bangladesh Bank Bangladesh Operational incident, cyber event, fraud 24 hours of becoming aware Written report to Bangladesh Bank Payment Systems Department
Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) Canada Suspicious transaction, terrorist financing As per Proceeds of Crime (Money Laundering) Act timelines (3 days for STRs) FINTRAC reporting portal
Financial Conduct Authority (FCA) United Kingdom Operational incident, material fraud Within 72 hours of awareness (Operational Resilience requirements) FCA Connect
Central Bank of Iraq (CBI) Iraq Material incident Within 24 hours Written notification to CBI
Nepal Rastra Bank (NRB) Nepal Material incident Within 24 hours Written notification

The MLRO maintains a Regulatory Notification Log. All notifications are copied to the Head of Legal and CFO.

4.3 Merchant and Partner Notification Templates

Template M1 - System Outage (Tier 1/2)

Dear [Partner Name],

We are writing to inform you that Simpaisa is currently experiencing a service disruption affecting [describe affected service/corridor]. This has been classified as a priority incident and our technical teams are working to restore full service.

Current status: [Investigating / Identified / In remediation] Estimated restoration: [Time if known / To be confirmed] Impact to your operations: [Describe specific impact]

We will provide a further update within [X] hours. Transactions submitted during this period [will be queued and processed upon restoration / should be held pending our confirmation].

For urgent queries, please contact your Simpaisa account manager at [contact] or our partner operations line at [number].

We apologise for any inconvenience caused.

Simpaisa Partner Operations

Template M2 - Regulatory Action

Dear [Partner Name],

We wish to advise you that Simpaisa is currently engaged with [regulator name] in respect of [a regulatory matter / a compliance review]. We are cooperating fully with [the regulator] and are committed to resolving this matter promptly.

[Service impact if any: At this time, services continue to operate normally / The following services are temporarily suspended: [list]]

We will communicate any material developments that affect your operations as promptly as possible. All existing contractual commitments remain in force.

If you have any questions, please contact [Head of Legal / your account manager].

Simpaisa Group

Template M3 - Fraud Event

Dear [Partner Name],

We are writing to alert you to a fraud event that may have impacted [describe scope - e.g., transactions processed through your integration between [date] and [date]].

We have identified and contained the issue. Our security and compliance teams are conducting a full investigation. [Relevant transactions have been flagged and quarantined / We are reviewing affected transactions and will notify you of any requiring remediation.]

Please [take no action at this time / suspend new transaction submissions pending our investigation / review the attached list of affected transactions].

We take this matter extremely seriously and are committed to providing you with a full incident report within [X] business days.

Simpaisa Security and Compliance

4.4 Media Holding Statement Templates

These statements are approved for use by the CEO or, in the CEO's absence, the CDO. No other individual may issue a public statement. All media enquiries are routed through the Brand Manager.

Scenario 1 - System Outage

Simpaisa is currently experiencing a technical issue affecting [service name]. Our engineering teams are working to resolve this as a matter of urgency. We apologise to affected customers and partners and will provide updates through our status page at [URL] and our official social media channels. Customer funds are secure and unaffected.

Scenario 2 - Data Breach

Simpaisa has identified a security incident that may have involved unauthorised access to certain customer data. We have contained the incident and have engaged specialist security experts to conduct a thorough investigation. We are notifying affected individuals and the relevant regulatory authorities in accordance with our obligations. The security and trust of our customers is our highest priority. We will provide further information as our investigation progresses.

Scenario 3 - Regulatory Action

Simpaisa is cooperating fully with [regulator name] in relation to a compliance matter. We are unable to comment further at this stage, but we are committed to full transparency with our regulators and to maintaining the highest standards of compliance across all our operations.

Scenario 4 - Fraud Incident

Simpaisa has identified and contained a fraud incident. We are conducting a thorough investigation with the assistance of law enforcement and specialist forensic experts. Affected customers will be contacted individually. Customer funds held with Simpaisa are safeguarded in accordance with regulatory requirements. We will not comment further while the investigation is ongoing.

Scenario 5 - Partner or Operator Failure

Simpaisa is aware that one of its third-party service partners is experiencing difficulties. We are actively managing the situation to minimise impact on our customers and have activated contingency arrangements. We will provide updates as the situation develops.

4.5 Customer In-App Messaging Templates

In-App Message 1 - Service Disruption

We're currently experiencing a technical issue affecting [service]. Our team is working hard to fix this. Your funds are safe. We'll update you here as soon as service is restored. Thank you for your patience.

In-App Message 2 - Scheduled Maintenance

We'll be carrying out scheduled maintenance on [date] between [time] and [time] (your local time). Some services may be temporarily unavailable. Please plan any transactions accordingly. Thank you.

In-App Message 3 - Security Notice

Important security notice: We have identified unusual activity and are investigating as a priority. As a precaution, we recommend you review your recent transactions and change your password. If you notice anything unexpected, please contact support immediately at [link/number].

In-App Message 4 - Service Restored

Good news - the issue affecting [service] has been resolved. Full service has been restored as of [time]. We apologise for any inconvenience and appreciate your patience. If you experienced any transaction issues during the disruption, please contact our support team.

5. Crisis Response Playbooks

Playbook A: Major Payment System Failure

Applicable Tier: 1 or 2 depending on scope and duration

Trigger: Core payment processing unavailable for more than 60 minutes, or anticipated to exceed four hours.

Immediate Actions (0–60 minutes): 1. CTO and CDO confirm scope of outage (which corridors, which products, which entities affected). 2. CTO activates Disaster Recovery Plan for payment infrastructure. 3. COO assesses whether manual processing or contingency rail can be activated. 4. CFO confirms Treasury exposure - outstanding settlements, prefunding positions. 5. CMT convened. Tier classification confirmed. 6. MLRO assesses regulatory notification obligations (see Section 4.2). 7. Brand Manager prepares holding statement (Scenario 1). 8. Partner Operations team notified - use Template M1. 9. In-app message published - use Message 1.

Sustained Response (1–4 hours): 1. Status updates to CMT every 30 minutes. 2. Customer support team briefed and staffed up. 3. SLA breach assessment prepared by COO for affected merchant partners. 4. CEO informs Board Chairman.

Resolution Actions: 1. CTO confirms restoration and root cause identified. 2. CDO approves in-app restoration message - use Message 4. 3. Merchant partners notified of restoration - Template M1 (updated). 4. Post-incident report initiated within 48 hours.

Key Contacts: CTO (Saqlain Raza), CDO (Daniel O'Reilly), COO (Kamil Shaikh), Payment Operations Lead.

Playbook B: Cyber Security Incident / Data Breach

Applicable Tier: 1 (confirmed breach with customer data) or 2 (contained incident)

Trigger: Confirmed or suspected unauthorised access to Simpaisa systems, customer data, or financial infrastructure.

Immediate Actions (0–60 minutes): 1. CISO (Danish Hamid) confirms incident classification and containment status. 2. Affected systems isolated immediately - do not power off; preserve forensic evidence. 3. CISO engages external Incident Response (IR) retainer provider. 4. CDO and CEO notified immediately. 5. CMT convened. Tier 1 classification assumed until downgraded. 6. Legal privilege established - all communications through Head of Legal from this point. 7. Forensic investigation commenced. No remediation actions taken without CISO sign-off.

Regulatory Notification (within applicable timelines): 1. MLRO and Head of Legal assess notification obligations by jurisdiction (see Section 4.2). 2. MAS notified within 1 hour if Singapore systems or HoldCo data affected. 3. DFSA notified within 24 hours for any event affecting UAE-licensed entity or customer data. 4. Customer notification strategy agreed by CMT - legal obligation assessed jurisdiction by jurisdiction.

Sustained Response: 1. Forensic investigation led by CISO and external IR provider - daily briefings to CDO. 2. CMT updates every four hours. 3. No public statement beyond holding statement without CEO and Chair approval. 4. HR and Legal assess any internal actor involvement. 5. PCI DSS breach notification obligations assessed by CISO (Qualified Security Assessor engaged if required).

Resolution: 1. CISO confirms containment and eradication complete. 2. Systems restored from clean backup or rebuilt. 3. Affected customers notified per legal advice. 4. Regulatory incident reports submitted per jurisdiction timelines. 5. Post-incident report and lessons learned within 30 days.

Key Contacts: CISO (Danish Hamid), CDO (Daniel O'Reilly), Head of Legal, External IR Retainer Provider [TBC].

Playbook C: Regulatory Enforcement Action

Applicable Tier: 1 (licence suspension) or 2 (investigation opened)

Trigger: Receipt of a regulatory enforcement notice, show-cause letter, licence suspension, or announcement of formal investigation.

Immediate Actions (0–4 hours): 1. Head of Legal and MLRO (Shoukat Bizinjo) review the notice and confirm scope and jurisdiction. 2. CEO and CDO notified immediately. 3. CMT convened. Board Chairman notified by CEO. 4. External specialist regulatory legal counsel engaged immediately. 5. Legal hold placed on all relevant documents, systems, and communications. 6. No employee to communicate with the regulator directly - all communications through MLRO and Head of Legal. 7. Regulatory response team formed: CEO, Head of Legal, MLRO, CFO, relevant Country Head.

Regulatory Engagement: 1. Acknowledgement of notice submitted within required timeframe. 2. Regulatory response strategy agreed with external legal counsel. 3. Internal investigation commenced in parallel (privilege maintained). 4. All regulatory commitments and deadlines tracked on a dedicated register.

Communications: 1. No public statement until legal position is clear. 2. Template M2 issued to affected merchant partners at CEO discretion. 3. Staff communications: factual, limited, through CEO - "We are working with [regulator]; business continues." 4. Board kept informed weekly or upon material development.

Resolution: 1. Enforcement matter closed, conditions agreed, or licence restored. 2. Remediation plan implemented and evidenced to regulator. 3. Post-incident regulatory lessons embedded into compliance programme. 4. Board and relevant Board Committee briefed on outcome.

Key Contacts: MLRO (Shoukat Bizinjo), Head of Legal, CEO (Yassir Pasha), External Regulatory Counsel [TBC by jurisdiction].

Playbook D: Fraud Incident

Applicable Tier: 1 (exceeding USD 100K) or 2 (below threshold but material)

Trigger: Confirmed or suspected fraud event, whether internal, external, or social engineering in origin.

Immediate Actions (0–2 hours): 1. CRO (Shahroze Khan) and CISO confirm fraud nature and quantum. 2. Affected accounts, transactions, or corridors suspended immediately. 3. CEO, CDO, and CFO notified. 4. CMT convened if Tier 1. CFO confirms Treasury and insurance implications. 5. Law enforcement engagement assessed by Head of Legal and MLRO. 6. Fidelity / Crime insurance insurer notified (see Insurance Programme Brief). 7. Evidence preserved - do not alert suspected internal actors.

Investigation: 1. CRO leads fraud investigation with CISO support. 2. External forensic accountant engaged if internal fraud suspected. 3. HR and Legal involved if employee conduct is implicated. 4. Affected customers identified and notified per regulatory obligation. 5. MLRO files Suspicious Activity Reports (SARs) as required by jurisdiction.

Communications: 1. Holding statement (Scenario 4) issued if media enquiry received. 2. Affected merchant partners notified using Template M3. 3. Internal communications managed carefully - do not disclose identities of suspected actors.

Resolution: 1. Fraud losses quantified. Insurance claim lodged. 2. Control weaknesses identified and remediated. 3. CRO presents fraud post-mortem to Board Risk Committee within 30 days. 4. Regulatory reports submitted as required.

Key Contacts: CRO (Shahroze Khan), CISO (Danish Hamid), CFO (Mohammad Mustafa), MLRO (Shoukat Bizinjo), Head of Legal.

Playbook E: Key Person Loss or Unavailability

Applicable Tier: 2 (sudden unavailability of C-suite) or 3 (planned absence with insufficient cover)

Trigger: A regulated or critical role holder becomes suddenly unavailable due to incapacitation, death, resignation, or other circumstance.

Immediate Actions (0–24 hours): 1. CEO notified immediately by the relevant individual or their line manager. 2. CEO activates the Succession Planning Matrix (Document 3) for the affected role. 3. Emergency cover holder confirmed and briefed within four hours. 4. For DFSA-regulated roles (CEO/SEO, Finance Officer, MLRO), Head of Legal notifies DFSA within the required period (DFSA requires notification of change of approved person; temporary arrangements discussed with supervision team). 5. For SBP relationship holder, Country Head Pakistan (Noor Ali) notified to manage SBP continuity.

Regulatory Notification (DFSA-specific): - Change or temporary absence of SEO: notify DFSA promptly; agree temporary arrangement. - Change of MLRO: notify DFSA within 14 days; interim MLRO appointed from qualified persons. - Change of Finance Officer: notify DFSA.

Sustained Response: 1. Interim appointment confirmed for regulatory purposes. 2. Board / Nomination Committee informed within 24 hours for C-suite roles. 3. Recruitment process initiated per urgency of the role. 4. Key person insurance claim assessed by CFO (see Insurance Programme Brief).

Key Contacts: CEO (Yassir Pasha), Head of Legal, MLRO (Shoukat Bizinjo), Chairman (Nadeem Hussain).

Playbook F: Geopolitical Crisis in Operating Country

Applicable Tier: 1 (sanctions imposed, civil war, market exit required) or 2 (civil unrest, operational disruption)

Trigger: Significant geopolitical event in an operating country (Pakistan, Bangladesh, Nepal, Iraq, UAE, Canada, UK) that materially affects Simpaisa's operations, staff safety, or regulatory standing.

Immediate Actions (0–4 hours): 1. CEO and COO briefed by relevant Country Head. 2. Staff safety in affected country assessed and confirmed. 3. CMT convened. Tier classification agreed. 4. Head of Legal and MLRO assess sanctions implications (OFAC, UK OFSI, EU, UN sanctions). 5. CFO assesses Treasury exposure - prefunding, settlement balances, customer funds in-country. 6. Payment flows to/from affected country suspended pending assessment (default: suspend first, reassess with information).

Regulatory Engagement: 1. DFSA notified if UAE operations affected or if sanctions apply to Simpaisa's DIFC-regulated activity. 2. MLRO assesses whether existing transactions or relationships breach new sanctions. 3. External sanctions counsel engaged if legal position is unclear.

Staff Safety: 1. COO coordinates with HR on staff welfare in affected country. 2. Emergency evacuation or remote working arrangements activated as required. 3. COO maintains daily contact with Country Head.

Business Continuity: 1. CTO assesses ability to operate critical functions remotely. 2. COO identifies contingency processing arrangements (rerouting through alternative corridors). 3. Merchant partners in affected country notified using Template M1 or M2 as appropriate.

Market Exit (if required): 1. Head of Legal and CFO prepare entity wind-down plan. 2. Customer funds repatriated per regulatory obligation. 3. Regulatory notifications filed. 4. Partner contracts reviewed for force majeure provisions.

Key Contacts: COO (Kamil Shaikh), MLRO (Shoukat Bizinjo), Head of Legal, CFO (Mohammad Mustafa), Relevant Country Head.

6. Post-Crisis Review Process

Every Tier 1 and Tier 2 crisis must be subject to a formal Post-Crisis Review (PCR). Tier 3 events are reviewed at the discretion of the CDO.

6.1 Review Timeline

Milestone Timeline from Resolution
Initial debrief (CMT) Within 48 hours
Draft PCR report Within 10 business days
Final PCR report Within 20 business days
Board Risk Committee presentation (Tier 1 only) Within 30 days
Remediation actions closed Per agreed action plan

6.2 PCR Report Contents

The PCR report must address:

  1. Event Summary: What happened, when, and how it was classified.
  2. Timeline: Full chronological log of events, decisions, and communications.
  3. Root Cause Analysis: Immediate cause, contributing factors, and systemic causes (5 Whys or equivalent methodology).
  4. Response Assessment: What went well; what did not; where the Plan functioned as designed; where it fell short.
  5. Regulatory and Legal Assessment: All notifications made, regulators' responses, legal exposure assessed.
  6. Financial Impact: Direct costs, lost revenue, insurance recovery (if applicable).
  7. Remediation Actions: Specific, time-bound, owner-assigned actions to prevent recurrence and improve response capability.
  8. Plan Updates: Any amendments required to this Plan, the BCP, IRP, or DRP.

6.3 PCR Ownership

The CDO owns the PCR process. Each PCR report is reviewed by the CEO and presented to the Board Risk Committee for Tier 1 events. A remediation tracker is maintained by the CDO's office and reviewed quarterly.

7. Annual Crisis Simulation Exercise Requirements

Simpaisa will conduct at least one full Crisis Simulation Exercise (CSE) per calendar year. The CDO is responsible for scheduling and facilitating the exercise. Results are reported to the Board.

7.1 Exercise Requirements

Requirement Standard
Frequency Minimum once per calendar year
Participants Full CMT mandatory; Country Heads strongly encouraged
Duration Minimum half-day (four hours)
Scenario selection Must rotate across at least two different playbook scenarios per year
External facilitation Recommended every second year
Observer Board Risk Committee member to observe at least annually

7.2 Exercise Scenarios (Rotation Schedule)

Year Primary Scenario Secondary Scenario
2026 Playbook B - Cyber / Data Breach Playbook A - Major Payment Failure
2027 Playbook C - Regulatory Enforcement Playbook F - Geopolitical Crisis
2028 Playbook D - Fraud Playbook E - Key Person Loss

Scenarios should be designed to be sufficiently realistic and stressful. Inject unexpected complications (e.g., key personnel unavailability during the exercise; regulatory deadline approaching; media enquiry during the incident). Tabletop format is the minimum; live simulation exercises are preferred where feasible.

7.3 Post-Exercise Requirements

  1. Debrief conducted on the same day.
  2. Exercise report produced within 10 business days.
  3. Action items tracked and closed within agreed timelines.
  4. Exercise outcomes inform next year's scenario design.
  5. Insurance broker invited to observe exercise in alternate years (supports renewal discussions and demonstrates risk management maturity).

Document 2: Insurance Programme Brief

Prepared for: Simpaisa Group Board of Directors
Prepared by: Office of the CDO, in collaboration with the CFO
Date: April 2026
Classification: Confidential

Executive Summary

Simpaisa Group is a cross-border payments fintech processing over USD 1 billion annually across nine jurisdictions. The Group holds a DFSA Cat 3D licence in the DIFC and is subject to regulatory requirements in Pakistan, Bangladesh, Nepal, Iraq, Canada, and the United Kingdom. This brief outlines the insurance coverage required to protect the Group, its directors, its operations, and its people. It recommends immediate Board approval of Professional Indemnity and Directors and Officers cover as gating priorities, followed by structured procurement of Cyber Liability, Key Person, Fidelity/Crime, and Business Interruption cover.

1. Current State Assessment

Status: To Be Confirmed (TBC)

A formal audit of existing insurance arrangements has not yet been completed. The CFO is to confirm what coverage, if any, is currently held across group entities. Based on the Group's stage of development and regulatory history, it is assessed as probable that:

  • No group-level Professional Indemnity or D&O coverage is currently in place.
  • Ad hoc or minimum-required coverage may exist at the entity level in Pakistan or Canada.
  • No standalone Cyber Liability policy is likely to be in force.

Action Required: CFO (Mohammad Mustafa) to compile a schedule of all existing insurance policies held by Simpaisa Group entities within 30 days. This brief proceeds on the basis that material gaps exist and that procurement should begin immediately.

2. Required Coverage

2.1 Directors and Officers (D&O) Liability Insurance

Purpose: Protects individual directors and officers from personal liability arising from claims made against them in their capacity as directors or officers of Simpaisa Group entities. This is essential given the multi-jurisdictional regulatory environment and the personal liability exposure of named individuals.

Covered Persons: - Chairman: Nadeem Hussain - Non-Executive Directors: Blake Tan, Bernhard Klemen, Sebastian Reis - CEO and Executive Director: Yassir Pasha - Other C-suite officers as named in the policy schedule

Coverage Scope: - Wrongful acts committed in the capacity of director or officer - Defence costs, judgments, and settlements - Regulatory investigation defence costs (including DFSA, SBP, FCA proceedings) - Entity securities coverage (if applicable to future fundraising or IPO activity)

Recommended Limit: USD 5 million to USD 10 million aggregate
Recommended Retention/Excess: USD 25,000 to USD 50,000

Priority: High - required immediately. DFSA and other regulators regard adequate D&O coverage as an indicator of governance maturity. Additionally, attracting and retaining high-quality board members increasingly requires confirmed D&O coverage.

Estimated Annual Premium: USD 40,000 to USD 80,000 (indicative; subject to broker market review)

2.2 Professional Indemnity (PI) Insurance

Purpose: Covers Simpaisa against claims by clients and third parties arising from errors, omissions, negligence, or breach of professional duty in the provision of payment services, remittance, and related financial services.

Regulatory Requirement: The DFSA requires all Category 3D-licensed firms to hold PI insurance. This is a licence condition, not a discretionary coverage. Absence of PI cover may constitute a breach of licence conditions and could trigger regulatory action.

Coverage Scope: - Errors in payment processing, routing, or settlement - Incorrect FX rate application - Failure to execute or late execution of payment instructions - Mis-selling or advisory liability in respect of financial services products - Regulatory fines and penalties (where insurable by law)

Recommended Limit: USD 5 million to USD 10 million per claim and in aggregate
Recommended Retention/Excess: USD 25,000 to USD 50,000

Priority: CRITICAL - this is the highest priority coverage in the programme. It must be in force before or concurrent with any expansion of DFSA-regulated activities.

Estimated Annual Premium: USD 30,000 to USD 70,000 (indicative; fintech payments sector can attract higher premiums due to processing volume)

2.3 Cyber Liability Insurance

Purpose: Covers Simpaisa against the financial consequences of a cyber security incident or data breach, including first-party costs (investigation, notification, remediation) and third-party liability (customer and partner claims).

Relevance: Simpaisa is within PCI DSS scope by virtue of processing card-present and card-not-present transactions. The Group holds significant volumes of customer PII and financial data across multiple jurisdictions. The CISO (Danish Hamid) holds ISO 27001 certification. A cyber event at this scale of processing carries material financial and reputational exposure.

Coverage Scope: - First Party: Cyber incident response costs, digital forensics, legal notification costs, credit monitoring for affected customers, business interruption arising from cyber event, ransomware payments (subject to sanctions compliance) - Third Party: Claims from customers and partners for breach of data, regulatory fines and penalties (where insurable), media liability arising from data breach - Social engineering / funds transfer fraud (if not covered under Crime policy)

Recommended Limit: USD 5 million to USD 10 million
Recommended Retention/Excess: USD 50,000

Priority: High - second only to PI and D&O. Given USD 1 billion+ in processing and PCI DSS scope, the uninsured cyber exposure is material.

Estimated Annual Premium: USD 50,000 to USD 120,000 (indicative; fintech cyber premiums are driven by processing volume, employee count, and security posture - ISO 27001 certification and PCI DSS compliance will support favourable terms)

Note for Broker: Underwriters will require completion of a detailed cyber security questionnaire. The CISO should be engaged in the placement process to provide accurate technical responses.

2.4 Key Person Insurance

Purpose: Provides a lump-sum payment to Simpaisa in the event of the death or critical illness of an identified key person, to cover the cost of recruitment, business disruption, and loss of revenue attributable to that individual's absence.

Covered Persons and Rationale:

Individual Role Rationale
Yassir Pasha CEO Founder/CEO; primary investor, regulator, and partner relationship holder; DFSA SEO
Daniel O'Reilly CDO Responsible for Product, Security, Technology, Data; critical to DFSA compliance posture and digital transformation
Shoukat Bizinjo Global Head Regulatory / MLRO 25-year SBP veteran; DFSA-approved MLRO; loss would trigger regulatory notification and require emergency replacement

Recommended Coverage per Person: USD 1 million to USD 2 million
Policy Type: Decreasing term or level term, owned by the Group, payable to the Group

Estimated Annual Premium: USD 10,000 to USD 25,000 per person (age and health dependent); USD 30,000 to USD 75,000 total

2.5 Fidelity / Crime Insurance

Purpose: Covers Simpaisa against financial loss arising from fraudulent or dishonest acts committed by employees or third parties, including theft, embezzlement, and social engineering attacks.

Coverage Scope: - Employee dishonesty and theft - Theft of client money - Computer and funds transfer fraud - Social engineering / business email compromise - Third-party crime (e.g., fraudulent instruction by counterparty)

Relevance: Cross-border payments operations carry elevated exposure to internal fraud, social engineering, and payment diversion. The COO (Kamil Shaikh) and CRO (Shahroze Khan) both require assurance of coverage in this area given the volume of correspondent and settlement transactions processed daily.

Recommended Limit: USD 2 million to USD 5 million
Recommended Retention/Excess: USD 25,000

Estimated Annual Premium: USD 15,000 to USD 40,000

2.6 Business Interruption (BI) Insurance

Purpose: Covers loss of revenue and increased operating costs arising from an insured event that interrupts Simpaisa's ability to process payments. This is typically purchased as an extension to a property or technology errors and omissions policy, or as a standalone technology BI policy.

Coverage Scope: - Revenue loss during system outage caused by an insured peril - Increased costs of working to maintain operations (e.g., use of alternative processing infrastructure) - Dependency on third-party service providers (e.g., cloud provider outage)

Note: Standard BI policies exclude cyber events; confirm that cyber BI is addressed within the Cyber Liability policy above.

Recommended Limit: USD 5 million
Indemnity Period: 12 months

Estimated Annual Premium: USD 10,000 to USD 25,000 (as standalone or extension)

3. Priority, Timeline, and Procurement Sequence

Priority Coverage Reason Target Placement
1 Professional Indemnity DFSA licence condition - gating requirement Within 60 days
2 Directors and Officers Governance requirement; board member protection Within 60 days
3 Cyber Liability PCI DSS scope; USD 1B+ processing; CISO-led compliance programme Within 90 days
4 Fidelity / Crime Elevated exposure from settlement and correspondent operations Within 120 days
5 Key Person Regulatory and operational continuity risk Within 120 days
6 Business Interruption Revenue protection; confirms crisis management maturity Within 180 days

PI and D&O should be placed simultaneously given the shared broker relationship and the ability to negotiate package terms.

4. Broker Recommendation

Simpaisa should engage a specialist insurance broker with direct experience in fintech, payments, and DIFC-regulated firms. The following are recommended for shortlisting:

Marsh DIFC The largest global risk advisor, with a dedicated DIFC presence and a specialist financial lines practice covering D&O, PI, and Cyber for financial services. Strong relationships with Lloyd's of London syndicates and Singapore market underwriters.

Aon DIFC Global broker with strong fintech and financial institutions expertise. Aon's Cyber Solutions practice has deep capability in PCI DSS-scope clients and can support the cyber application process.

Lockton DIFC Mid-market specialist with a strong DIFC book and responsive service model appropriate for a Series A / pre-IPO fintech. Lockton's Financial Institutions team has specific experience with cross-border payments firms.

Recommendation: Conduct a competitive broker selection process. Issue a Request for Proposal to Marsh, Aon, and Lockton simultaneously, specifying the required coverages, limits, and timelines above. Select on the basis of sector expertise, market relationships, responsiveness, and fee structure.

Note: The broker should be instructed to approach the Lloyd's of London market, Singapore market (given HoldCo domicile), and UAE insurance market simultaneously to achieve competitive terms.

5. Indicative Budget

Coverage Estimated Annual Premium (USD)
Professional Indemnity 30,000 to 70,000
Directors and Officers 40,000 to 80,000
Cyber Liability 50,000 to 120,000
Fidelity / Crime 15,000 to 40,000
Key Person (3 persons) 30,000 to 75,000
Business Interruption 10,000 to 25,000
Total (indicative) 175,000 to 410,000

These are indicative ranges based on comparable fintech and payments firms at similar scale and regulatory complexity. Actual premiums will depend on broker placement, underwriter appetite, loss history, and the quality of Simpaisa's risk management disclosures (security posture, compliance certifications, etc.). A strong compliance narrative - DFSA Cat 3D licence, ISO 27001, PCI DSS, former SBP MLRO - should support the lower end of ranges.

6. Board Action Required

The Board is requested to:

  1. Approve the immediate procurement of Professional Indemnity and Directors and Officers coverage as Priority 1 items, with a target placement within 60 days.
  2. Approve the budget envelope of USD 175,000 to USD 410,000 per annum for the full insurance programme, to be refined upon broker engagement.
  3. Authorise the CFO and CDO jointly to conduct the broker selection process and return to the Board with a recommended programme and final premiums for approval.
  4. Note the current-state gap and instruct the CFO to produce a schedule of existing coverage within 30 days.

Document 3: Succession Planning Matrix

Prepared for: Simpaisa Group Board - Governance and Nominations
Prepared by: Office of the CDO
Date: April 2026
Classification: Highly Confidential - Board and CEO Only

1. Purpose and Governance

This Succession Planning Matrix identifies the designated successors, readiness assessments, development plans, and emergency cover arrangements for all regulated and operationally critical roles within Simpaisa Group.

The matrix is reviewed by the CEO and CDO annually and presented to the Board (Nominations Committee or full Board as applicable) for approval. It is updated immediately following any change in role holder, material change in successor readiness, or structural reorganisation.

Readiness Assessment Criteria:

Rating Definition
Ready Now Can assume the role immediately with minimal handover. Has the requisite skills, regulatory knowledge, and stakeholder relationships.
Ready in 6 Months Broadly capable but requires targeted development in identified areas. Could assume the role with active support.
Ready in 12 Months Partially capable. Has strong potential but significant gaps in regulatory, technical, or leadership dimensions.
External Hire Required No internal candidate is suitable. External recruitment must begin immediately upon vacancy.

Emergency Cover Definitions:

  • 24-Hour Cover: Who can assume functional authority immediately if the role holder is suddenly unavailable?
  • 1-Week Cover: Who manages the role for up to one week, including regulatory-facing responsibilities?
  • Permanent Succession: Who is the designated successor for a permanent vacancy?

2. Succession Matrix

Role: Chief Executive Officer (CEO)

Current Holder: Yassir Pasha
Jurisdiction: UAE (DFSA) - appointed as Senior Executive Officer (SEO) under DFSA Cat 3D licence. Board appointment. Holds primary relationship with MAS (Singapore HoldCo), DFSA, and key institutional partners.

Regulatory Requirement: DFSA-approved SEO. Change requires DFSA prior approval. Temporary absence of more than a defined period requires notification. Board-level appointment; succession is a Board/Chairman decision.

Designated Successor: COO - Kamil Shaikh (interim, subject to DFSA approval process)

Successor Readiness: Ready in 6 Months

Assessment: Kamil has strong operational and governance capability and deep knowledge of the Group's entities and structure. He lacks a DFSA individual licence (Authorised Individual) which would require a separate application to DFSA prior to formally assuming SEO responsibilities. He has relationships with key regulators but has not held a public-facing CEO role.

Development Plan: - Commence DFSA Authorised Individual pre-application process within 90 days. - Increase external regulator-facing representation (lead DFSA engagements alongside CEO from Q2 2026). - Assume Board observer or board reporting role for key governance matters. - CEO to conduct quarterly strategic briefings with Kamil to ensure continuity of strategic intent.

Emergency Cover: - 24 hours: COO (Kamil Shaikh) assumes operational authority; Chairman (Nadeem Hussain) notified. - 1 week: COO manages with MLRO support on regulated activities; Board Chairman assumes oversight; DFSA notified of temporary arrangement. - Permanent: Board initiates formal succession process. Chairman leads. COO assumes interim CEO pending Board appointment and DFSA approval. External search may be conducted in parallel.

Notes: DFSA approval of interim SEO arrangements must be confirmed with DFSA Supervision before any permanent or extended arrangement is put in place. Legal counsel to be engaged upon any permanent vacancy.

Role: Chief Digital Officer (CDO)

Current Holder: Daniel O'Reilly
Jurisdiction: UAE (DIFC) - oversees Product, Security, Data, and Technology functions. Accountable for DFSA technology and operational resilience obligations. Not individually DFSA-licensed in the CDO capacity but responsible for the oversight of the CISO (who holds relevant accountabilities) and indirectly for information security and PCI DSS obligations.

Regulatory Requirement: No direct individual DFSA licence currently attached to CDO role, but the role carries accountability for technology risk (DFSA COBS and operational resilience requirements) and for PCI DSS programme governance.

Designated Successor: CTO - Saqlain Raza, with CISO (Danish Hamid) covering security/compliance aspects

Successor Readiness: Ready in 12 Months (for full scope); CTO Ready in 6 Months (for technology); CISO Ready Now (for security/compliance)

Assessment: No single internal candidate can assume the full CDO portfolio immediately. The role spans Product, Technology, Security, and Data - four distinct functions. A bifurcation of responsibilities between CTO and CISO may be required in an emergency.

Development Plan: - CTO to develop deeper product strategy understanding via CDO-led monthly Product Council. - CISO to develop broader operational risk and governance exposure via Board Risk Committee participation. - Head of Data/Analytics (if/when appointed) to assume data leadership independently.

Emergency Cover: - 24 hours: CTO assumes technology and product authority; CISO assumes security and compliance authority; COO provides governance bridge. - 1 week: CTO and CISO jointly manage CDO portfolio with CEO oversight. - Permanent: Evaluate whether to maintain CDO as unified role (external hire) or restructure into separate CTO and CPO/CISO reporting lines. Decision to be made by CEO and Board within 30 days of vacancy.

Role: Chief Operating Officer (COO)

Current Holder: Kamil Shaikh
Jurisdiction: UAE (DIFC) - responsible for entity governance, operational structure, settlement operations, and cross-jurisdictional governance.

Regulatory Requirement: No individual DFSA licence currently, but the role is operationally critical to licence compliance across all jurisdictions. Holds governance relationships with SBP, Bangladesh Bank, and other regulators through Country Heads.

Designated Successor: Country Head Pakistan - Noor Ali

Successor Readiness: Ready in 12 Months

Assessment: Noor Ali has strong operational depth in Pakistan and understands payment operations, SBP requirements, and corridor economics. He lacks cross-jurisdictional operational experience and has not held a Group-level governance role. A transitional period of 6–12 months with increased scope would be required.

Development Plan: - Noor Ali to participate in Group Ops leadership meetings as a standing attendee from Q2 2026. - COO to actively delegate cross-border coordination tasks to Noor Ali over the next 12 months. - Assess readiness at mid-year 2026 and provide targeted development (entity governance, DIFC/MAS interface).

Emergency Cover: - 24 hours: CDO assumes governance bridge; CFO manages treasury/financial operations; Country Heads manage locally. - 1 week: Noor Ali assumes interim COO with CDO and CFO support. - Permanent: Noor Ali assumes interim; external search initiated in parallel for a Group COO with DIFC experience if Noor Ali is not assessed as ready within 6 months.

Role: Chief Financial Officer (CFO)

Current Holder: Mohammad Mustafa
Jurisdiction: UAE (DIFC) - DFSA-approved Finance Officer. Holds individual DFSA approval. Responsible for financial reporting, treasury, capital adequacy, and DFSA financial returns.

Regulatory Requirement: DFSA Finance Officer (Authorised Individual). Change requires DFSA prior approval and submission of individual approval application by successor.

Designated Successor: Head of Treasury (to be identified/confirmed)

Successor Readiness: External Hire Required (if Head of Treasury position is vacant or not suitable)

Assessment: The DFSA Finance Officer role requires individual regulatory approval. Any permanent successor must hold (or be capable of obtaining) DFSA individual approval. The Head of Treasury, if a suitable candidate, could be developed to assume this role. If no internal candidate is ready, external hire must begin immediately upon vacancy.

Development Plan: - Identify and confirm Head of Treasury as designated CFO successor within 90 days. - Provide DFSA regulatory familiarisation (DFSA PIB, financial returns process, capital adequacy). - CFO to involve Head of Treasury in all DFSA finance officer responsibilities progressively over the next 12 months.

Emergency Cover: - 24 hours: Head of Treasury assumes treasury and financial operations; CFO contacted for DFSA-specific matters if possible. - 1 week: Head of Treasury manages; COO and external financial advisor support regulatory submissions; DFSA notified per their requirements. - Permanent: Head of Treasury assumes interim; DFSA application submitted for new Finance Officer within required period; external search if no internal candidate.

Notes: DFSA must be notified of any change to or absence of the Finance Officer. Legal and compliance team to manage notification process.

Role: Chief Information Security Officer (CISO)

Current Holder: Danish Hamid
Jurisdiction: UAE (DIFC) - ISO 27001 Management System owner; PCI DSS Programme Owner; responsible for information security governance across the Group.

Regulatory Requirement: No individual DFSA licence specifically attached to CISO, but the role is accountable for DFSA technology risk and operational resilience obligations (DFSA COBS Chapter 6 and associated guidance). ISO 27001 Lead Auditor certification is a programme requirement. PCI DSS requires a named programme owner.

Designated Successor: Senior Information Security Manager (to be identified from existing team)

Successor Readiness: Ready in 12 Months (dependent on appointment and confirmation of internal candidate)

Development Plan: - Identify and name a Deputy CISO / Senior Information Security Manager within 90 days. - Named individual to shadow CISO on all material risk and compliance forums. - Lead auditor training for ISO 27001 to be sponsored for successor within the next 12 months. - PCI DSS QSA relationship to be briefed on succession arrangements.

Emergency Cover: - 24 hours: CDO assumes CISO accountability; Senior InfoSec Manager manages operationally. - 1 week: Senior InfoSec Manager assumes interim CISO with CDO oversight; external security advisor engaged if required. - Permanent: Senior InfoSec Manager assumes interim. External hire initiated in parallel. CDO to act as Executive Sponsor for ISO 27001 and PCI DSS during transition.

Role: Chief Technology Officer (CTO)

Current Holder: Saqlain Raza
Jurisdiction: UAE (DIFC)

Regulatory Requirement: No individual DFSA licence. Responsible for technology infrastructure, platform engineering, and operational resilience implementation.

Note: Saqlain Raza was permanently appointed as CTO in April 2026, confirmed by the Board.

Designated Successor: To be developed from senior engineering leadership.

Successor Readiness: External Hire Required (no named successor identified)

Development Plan - Immediate Priorities: - Begin structured CTO succession development with senior engineering leads. - Identify high-potential engineers for leadership development within 12 months.

Emergency Cover: - 24 hours: CDO assumes CTO authority; Senior Engineering Lead manages technical operations. - 1 week: CDO manages CTO responsibilities; external technical advisor or interim CTO (via specialist firm) engaged if needed. - Permanent: External hire. CDO to act as interim functional head during recruitment.

Role: Global Head Regulatory / MLRO

Current Holder: Shoukat Bizinjo
Jurisdiction: UAE (DIFC) - DFSA-approved MLRO. Also accountable for FINTRAC compliance in Canada, SBP regulatory relationship (supporting Noor Ali), and Group-wide AML/CFT framework.

Regulatory Requirement: DFSA MLRO (Authorised Individual). FINTRAC compliance officer. Change requires DFSA prior approval and replacement filing. DFSA requires that no period exists without an approved MLRO; an interim arrangement must be agreed with DFSA Supervision in advance.

Designated Successor: Head of Compliance (to be identified / appointed)

Successor Readiness: External Hire Required

Assessment: Shoukat Bizinjo is a uniquely experienced individual - 25 years at the State Bank of Pakistan and a DFSA-approved MLRO. No current internal candidate can replicate this experience. Loss of this individual would constitute a Tier 2 crisis event and would require immediate regulatory notification.

Development Plan: - Appoint a Head of Compliance (Deputy MLRO) within 90 days. This is a Board-level priority. - Deputy MLRO to be eligible for DFSA individual approval. - Shoukat Bizinjo to formally document all regulatory relationships, SBP contacts, and ongoing regulatory commitments as a Regulatory Relationship Register. - Shoukat Bizinjo to actively brief Deputy MLRO on all live regulatory matters monthly.

Emergency Cover: - 24 hours: Head of Legal assumes MLRO responsibilities on an interim basis; DFSA Supervision contacted immediately. - 1 week: Head of Legal + external AML consultant manages; DFSA notified of interim arrangement and timeline for permanent appointment. - Permanent: Head of Compliance (Deputy MLRO) assumes role and submits DFSA individual approval application within required period. External hire if no internal candidate is approved.

Notes: This is the highest-risk succession gap in the current matrix. Immediate action to appoint a Deputy MLRO is strongly recommended.

Role: Country Head Pakistan

Current Holder: Noor Ali
Jurisdiction: Pakistan - primary SBP relationship holder; responsible for Pakistan operations and PSO/PSP licence compliance.

Regulatory Requirement: SBP PSO/PSP Licence - the Country Head is the designated officer responsible for licence compliance with SBP. Any change requires notification to SBP and may require formal approval.

Designated Successor: Senior Operations Manager - Pakistan (to be identified)

Successor Readiness: Ready in 12 Months

Development Plan: - Identify and name a Deputy Country Head within 60 days. - Deputy to attend all SBP engagements with Noor Ali from Q2 2026. - Deputy to assume lead on SBP reporting and correspondence within 12 months.

Emergency Cover: - 24 hours: Senior Operations Manager assumes local operational authority; COO manages Group interface. - 1 week: Senior Operations Manager manages; COO assumes SBP-facing responsibility with Group legal support; SBP notified if required by licence conditions. - Permanent: Senior Operations Manager assumes interim Country Head. SBP notification filed. External hire if internal candidate is not suitable.

Role: Country Head Bangladesh and Nepal

Current Holder: Sanjana Farid
Jurisdiction: Bangladesh and Nepal - primary Bangladesh Bank relationship holder; responsible for remittance operations, corridor compliance, and Nepal Rastra Bank compliance.

Regulatory Requirement: Bangladesh Bank remittance licence; Nepal Rastra Bank authorisation. Country Head is the named officer for both.

Designated Successor: Senior Compliance / Operations Manager - BD&NP (to be identified)

Successor Readiness: Ready in 12 Months

Development Plan: - Identify and name a deputy within 60 days. - Deputy to attend Bangladesh Bank engagements and lead NRB reporting from H2 2026. - Sanjana Farid to document all regulatory commitments, contacts, and pending matters in a Country Regulatory Register.

Emergency Cover: - 24 hours: MLRO (Shoukat Bizinjo) assumes regulatory authority; senior operations manager manages locally. - 1 week: COO assumes Group-level interface; MLRO manages regulator communications; local senior manager manages operations. - Permanent: Senior local manager assumes interim; MLRO engages regulators; external hire commenced.

Current Holder: TBC (role to be recruited)
Jurisdiction: Group-wide - contract authority, regulatory correspondence, litigation, and Board secretary function.

Regulatory Requirement: Not individually DFSA-licensed unless designated as a Compliance Officer. However, the role holds delegated authority for regulatory correspondence and is a member of the CMT.

Current Risk: This role is currently vacant or unfilled at Group level. This is a significant governance gap. The CMT (Crisis Management and Communications Plan) assigns the Head of Legal material responsibilities in a crisis.

Immediate Action Required: CEO and CDO to initiate recruitment for Group Head of Legal within 30 days. Until appointment, all legal matters to be managed by external legal counsel (DFSA: Al Tamimi or equivalent DIFC-specialist firm) under MLRO coordination.

Successor Readiness: External Hire Required

Emergency Cover (interim, until appointment): - All matters: External legal counsel designated by CEO and MLRO.

Role: Head of Treasury

Current Holder: TBC (to be confirmed - may exist at entity level)
Jurisdiction: Group-wide - settlement authority, prefunding management, FX hedging, and liquidity management.

Regulatory Requirement: Not individually DFSA-licensed but DFSA capital adequacy and liquidity requirements require capable treasury function. DFSA Finance Officer (CFO) holds ultimate accountability.

Current Risk: Treasury oversight at Group level may be fragmented across entities. COO and CFO should confirm the current treasury reporting structure.

Designated Successor (once role is confirmed): To be identified from within finance function.

Successor Readiness: External Hire Required (until role is formally structured)

Emergency Cover: - 24 hours: CFO assumes direct treasury authority. - 1 week: CFO manages with COO support; external treasury advisor engaged if required. - Permanent: Recruit dedicated Group Head of Treasury.

3. Succession Risk Heat Map

Role Risk Level Primary Gap Immediate Action
CEO Medium DFSA SEO approval for successor; COO not yet licensed COO DFSA pre-application within 90 days
CDO Medium No single internal successor for full portfolio Confirm CTO permanently; formalise CISO scope
COO Medium Successor lacks Group-level experience Increase Noor Ali's exposure to Group governance
CFO High DFSA Finance Officer approval needed for successor Identify Head of Treasury as successor within 90 days
CISO Medium No named deputy Appoint Deputy CISO within 90 days
CTO Medium No named successor identified Begin succession development with senior engineering leads
MLRO / Global Head Regulatory Critical Uniquely experienced individual; no internal successor Appoint Deputy MLRO within 90 days - highest priority
Country Head Pakistan Medium No named deputy Identify deputy within 60 days
Country Head BD&NP Medium No named deputy Identify deputy within 60 days
Head of Legal Critical Role vacant at Group level Commence recruitment immediately
Head of Treasury High Role may not be formally structured at Group level CFO to confirm structure within 30 days
  1. Approve this Succession Planning Matrix as the baseline document for annual review.
  2. Mandate the CEO to appoint a Deputy MLRO / Head of Compliance within 90 days - flagged as the highest individual succession risk.
  3. Note that the CTO appointment (Saqlain Raza) was permanently confirmed in April 2026. Direct the CTO to begin structured succession development with senior engineering leads within 90 days.
  4. Mandate the initiation of a recruitment process for Group Head of Legal within 30 days.
  5. Direct the COO to commence the DFSA Authorised Individual pre-application process within 90 days to establish a viable CEO emergency successor.
  6. Review the matrix annually at the Board meeting in Q1 of each year, with an interim update following any material change.

End of Document

Document Classification: Confidential / Highly Confidential (per section)
Owner: Chief Digital Officer - Daniel O'Reilly
Review Date: April 2027
Distribution: CEO, Board of Directors, and named CMT members only (Crisis document); Board only (Succession matrix)