Simpaisa Group - Financial Crime Compliance Policy Suite¶

POLICY 1: ANTI-MONEY LAUNDERING AND COUNTER-TERRORIST FINANCING POLICY¶

SIMPAISA GROUP

ANTI-MONEY LAUNDERING AND COUNTER-TERRORIST FINANCING POLICY

Field	Detail
Document Reference	SGP-FCC-001
Version	1.0
Status	Active
Owner	Money Laundering Reporting Officer (MLRO)
Approver	Board of Directors
Effective Date	1 April 2026
Next Review Date	1 April 2027
Classification	Confidential

Document Control¶

Revision History¶

Version	Date	Author	Changes
0.1	January 2026	MLRO Office	Initial draft
0.2	February 2026	MLRO, Legal, CCO	Internal review and multi-jurisdiction regulatory alignment
0.3	March 2026	MLRO	Incorporation of DFSA AML Module v5 and FATF 2023 methodology
1.0	April 2026	Board of Directors	Board-approved final version

Distribution¶

This policy is classified as Confidential. It is distributed to all members of the Board of Directors, the Executive Leadership Team, the MLRO, all compliance and financial crime staff, all customer-facing staff, and all third parties with delegated compliance functions. It is maintained on the Group's internal policy management system. Country-specific annexes are distributed to the relevant country compliance function and country management team. The policy is not distributed externally except as required by regulatory obligation or legal process.

Sanctions Screening Policy (SGP-FCC-002)
Counter-Terrorist Financing Procedures (SGP-FCC-003)
Know Your Customer (KYC) Procedure (SGP-FCC-004)
Customer Risk Assessment Framework (SGP-FCC-005)
Financial Crime Risk Assessment (FCRA) - Annual Document
Outsourcing and Third-Party Management Policy (SGP-OPS-002)
Data Governance Policy (SGP-CDO-001)
Whistleblowing Policy (SGP-GOV-002)
Code of Conduct

1. Purpose and Scope¶

1.1 Purpose¶

This Anti-Money Laundering and Counter-Terrorist Financing Policy ("Policy") sets out the framework, principles, obligations, and procedures that govern how Simpaisa Group ("Simpaisa" or "the Group") identifies, assesses, mitigates, and reports money laundering (ML) and terrorist financing (TF) risk across all its business activities, products, channels, and jurisdictions.

Simpaisa is a cross-border payments fintech headquartered in Singapore, operating through nine regulated or registered entities across Singapore, Pakistan, Bangladesh, Nepal, Iraq, the United Arab Emirates (DIFC), the United Kingdom, and Canada. The Group provides Pay-In, Pay-Out, Remittance, Crypto Off-Ramping, and White-Label Wallet services. By the nature of these products and the jurisdictions in which the Group operates - several of which are FATF grey-list or monitored jurisdictions - Simpaisa carries inherent AML/CFT risk and accepts a commensurate obligation to maintain robust, proportionate, and continuously improving financial crime controls.

This Policy is designed to:

Protect the Group, its employees, and its customers from the consequences of money laundering and terrorist financing;
Ensure compliance with all applicable AML/CFT laws, regulations, and regulatory guidance across every jurisdiction in which the Group operates;
Define the minimum standards applicable group-wide, upon which jurisdiction-specific annexes impose additional requirements where local law demands;
Establish clear accountability, escalation paths, and reporting obligations for all staff;
Provide a documented framework against which internal audit, external audit, and regulators can assess the adequacy of the Group's AML/CFT programme.

1.2 Scope¶

This Policy applies to:

All entities within the Simpaisa Group, including Simpaisa Holdings Pte Ltd (Singapore HoldCo) and all nine subsidiary and associated entities;
All employees of the Group, regardless of role, seniority, contract type, or jurisdiction of employment;
All contractors, consultants, and secondees performing functions on behalf of any Simpaisa entity;
All third-party agents, distributors, and white-label partners conducting customer-facing activities on behalf of the Group;
All products, services, and channels offered by the Group, including Pay-In, Pay-Out, Remittance, Crypto Off-Ramping, and White-Label Wallet services;
All customers, whether individuals (natural persons) or legal entities (corporate customers, institutional counterparties).

Where local law or regulation imposes requirements stricter than this Policy, the stricter requirement shall prevail. Where this Policy imposes requirements stricter than local law, this Policy shall prevail unless compliance would breach local law, in which case the MLRO shall be notified and an exception documented.

2. Definitions¶

Term	Definition
AML	Anti-Money Laundering.
Beneficial Owner	The natural person(s) who ultimately owns or controls a customer entity, or on whose behalf a transaction or activity is conducted. For legal entities, the threshold is ownership or control of 25% or more, or effective control through other means.
CDD	Customer Due Diligence - the process of identifying and verifying customer identity and understanding the nature of the customer relationship and expected transaction activity.
CFT	Counter-Terrorist Financing, also referred to as CTF in some jurisdictions. Used interchangeably with CTF in this Policy.
DFSA	Dubai Financial Services Authority, financial regulator of the Dubai International Financial Centre (DIFC).
EDD	Enhanced Due Diligence - additional CDD measures applied to customers or relationships assessed as high-risk.
FATF	Financial Action Task Force - the global standard-setter for AML/CFT policy.
Financial Crime	Encompasses money laundering, terrorist financing, proliferation financing, bribery and corruption, fraud, tax evasion facilitation, and sanctions violations.
FIU	Financial Intelligence Unit - the designated national authority responsible for receiving, analysing, and disseminating STRs/SARs.
MLRO	Money Laundering Reporting Officer - the Group's designated senior individual responsible for overseeing the AML/CFT programme and making regulatory disclosures. At Simpaisa, the MLRO is Shoukat Bizinjo, Global Head of Regulatory Affairs.
ML	Money Laundering - the process by which the proceeds of crime are concealed, disguised, or converted to make them appear legitimate.
PEP	Politically Exposed Person - a natural person who is or has been entrusted with a prominent public function, as defined by FATF and applicable local regulation.
Proliferation Financing	The provision of funds or financial services for use in the manufacture, acquisition, development, export, transfer, or use of weapons of mass destruction and related delivery systems.
RBA	Risk-Based Approach - the methodology by which resources and controls are calibrated to the level of ML/TF risk identified.
RCA	Relative, Close Associate - a person closely associated with a PEP by family relationship or known business or personal relationship.
SDD	Simplified Due Diligence - a reduced level of CDD permitted for customers assessed as low-risk.
STR	Suspicious Transaction Report - a report filed with the relevant FIU when money laundering, terrorist financing, or related financial crime is suspected. Also referred to as a SAR (Suspicious Activity Report) in some jurisdictions.
TF	Terrorist Financing - the provision or collection of funds for the purpose of carrying out terrorist acts, or for use by a terrorist organisation.
UBO	Ultimate Beneficial Owner - see Beneficial Owner.

3. Policy Statements¶

3.1 Commitment to AML/CFT Compliance¶

3.1.1 The Board of Directors of Simpaisa Holdings Pte Ltd is committed to maintaining a zero-tolerance approach to the facilitation of money laundering, terrorist financing, or proliferation financing, whether wittingly or unwittingly. This commitment is unconditional and applies in every jurisdiction in which the Group operates, regardless of competitive pressure, revenue impact, or operational convenience.

3.1.2 Senior management shall be given the resources, authority, and independence necessary to implement and maintain an effective AML/CFT programme. The MLRO shall have direct access to the Board and shall report to the Board at least quarterly on the state of the AML/CFT programme.

3.1.3 Compliance with this Policy is mandatory for all persons within its scope. Failure to comply may result in disciplinary action up to and including dismissal, and may constitute a criminal offence in relevant jurisdictions.

3.1.4 The Group shall not establish, maintain, or continue a business relationship where it cannot complete required CDD, where ML/TF risk cannot be adequately managed, or where doing so would breach applicable sanctions or legal obligations.

3.2 Regulatory Framework¶

3.2.1 The Group's AML/CFT programme is designed to comply simultaneously with all applicable regulatory frameworks. The principal frameworks are:

Jurisdiction	Primary AML/CFT Regulatory Framework
UAE / DIFC	DFSA AML Module (AML/VE); UAE Federal AML Law No. 20 of 2019 and its implementing Cabinet Decision No. 10 of 2019; CBUAE AML/CFT Guidelines
Singapore	Monetary Authority of Singapore (MAS) Notice PSN01/PSN02 on Prevention of Money Laundering and Countering the Financing of Terrorism; MAS Guidelines on AML/CFT
Pakistan	State Bank of Pakistan (SBP) AML/CFT Regulations; Financial Monitoring Unit (FMU) reporting obligations; Anti-Money Laundering Act 2010 (as amended)
Bangladesh	Bangladesh Financial Intelligence Unit (BFIU) AML/CFT Guidelines; Money Laundering Prevention Act 2012 (as amended); Anti-Terrorism Act 2009
Nepal	Financial Intelligence Unit (FIU-Nepal) directives; Asset (Money) Laundering Prevention Act 2008; Nepal Rastra Bank (NRB) AML/CFT Unified Directive
Iraq	Central Bank of Iraq (CBI) AML/CFT Instructions; Anti-Money Laundering and Countering Financing of Terrorism Law No. 39 of 2015
United Kingdom	Proceeds of Crime Act 2002; Terrorism Act 2000; Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (as amended); FCA Financial Crime Guide
Canada	Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA); FINTRAC Compliance Guidance

3.2.2 In addition to jurisdiction-specific requirements, the Group adopts the FATF Recommendations (updated 2023) as the baseline international standard. Jurisdiction-specific annexes (Appendix J) document the specific requirements applicable in each country.

3.2.3 The MLRO shall maintain a regulatory horizon-scanning process to identify and assess the impact of changes to AML/CFT laws, regulations, and FATF guidance. Material changes shall be reported to the Board within 30 days of identification, together with a plan for implementation.

3.3 Risk-Based Approach¶

3.3.1 The Group shall adopt a risk-based approach (RBA) to AML/CFT, as required by FATF and all applicable regulatory frameworks. The RBA means that the Group shall identify, assess, and understand the ML/TF risks to which it is exposed, and shall implement controls that are proportionate to those risks.

3.3.2 The Group's AML/CFT risk assessment shall consider the following risk dimensions:

Customer risk: including customer type, purpose of account, beneficial ownership complexity, PEP status, adverse media, and nationality/residency;
Product and service risk: including payment type, transaction size and frequency limits, anonymity features, and reversibility;
Geographic risk: including the ML/TF risk profile of the customer's country of residence, transaction origin, transaction destination, and the Group's operating jurisdictions;
Channel risk: including the degree of face-to-face verification, reliance on agents or intermediaries, and digital onboarding;
Delivery risk: including the speed of settlement, cash-equivalent features, and conversion to or from cryptocurrency.

3.3.3 A higher-risk assessment in any single risk dimension does not automatically require EDD. The MLRO shall maintain a composite risk scoring methodology (documented in SGP-FCC-005) that produces a single customer risk rating - Low, Medium, or High - used to determine the applicable CDD tier and monitoring intensity.

3.3.4 The Group shall conduct and document a Group-Wide Financial Crime Risk Assessment (FCRA) at least annually, or following any material change to the business, products, geographic footprint, or regulatory environment. The FCRA shall be approved by the Board and shared with the DFSA as required under the Category 3D licence.

4. ML/TF Risk Assessment Methodology¶

4.1 Group-Wide Risk Assessment¶

4.1.1 The FCRA shall be produced by the MLRO in consultation with the product, technology, and country compliance functions. It shall assess ML/TF risk across five dimensions (customer, product, geography, channel, delivery) and produce an inherent risk rating, a residual risk rating after controls, and a forward-looking risk trajectory.

4.1.2 The FCRA shall be structured to comply with the DFSA's requirements for a documented risk assessment under the DFSA AML Module, and shall be sufficiently detailed to satisfy the requirements of Singapore MAS, FINTRAC, SBP, BFIU, and other applicable regulators if requested.

4.1.3 The FCRA shall specifically address:

The ML/TF risk implications of operating in FATF grey-list jurisdictions (currently Pakistan and Bangladesh);
The heightened risk associated with Crypto Off-Ramping, including OFAC-sanctioned wallet risk and anonymity features;
The risk profile of cross-border remittance corridors, including high-volume corridors (UAE-Pakistan, UK-Bangladesh) and high-risk corridors (Iraq-Pakistan);
The risk associated with white-label wallet partnerships and the extent to which the Group relies on partner CDD.

4.2 Customer Risk Assessment¶

4.2.1 A customer risk assessment shall be conducted for every customer at onboarding, using the scoring methodology in SGP-FCC-005. Risk factors shall include:

Risk Factor	Indicators of Higher Risk
Customer type	Legal entities; trusts; foundations; nominee structures
Business activity	Money services; cash-intensive businesses; virtual asset service providers
Nationality / residency	FATF grey-list or blacklist countries; high-risk jurisdictions per Group list
PEP status	Domestic or foreign PEP; RCA
Adverse media	Negative news relating to financial crime, fraud, corruption
Product usage	Large transaction volumes; frequent high-value transfers; crypto conversion
Source of funds / wealth	Unable to substantiate; inconsistent with stated occupation
Geographic exposure	Transactions to/from sanctioned, high-risk, or conflict-affected jurisdictions

4.2.2 Customer risk ratings shall be reviewed at the frequency set out in Section 6 and following any trigger event that may indicate a change in risk profile, including: material changes to transaction behaviour, receipt of adverse media, PEP designation, STR filing, or regulatory alert.

5. Customer Due Diligence¶

5.1 CDD Framework¶

5.1.1 The Group shall apply one of three CDD tiers to every customer, determined by the customer's risk rating:

CDD Tier	Risk Rating	Description
Simplified Due Diligence (SDD)	Low	Reduced CDD measures where lower risk is established and permitted by applicable law
Standard Due Diligence (Standard CDD)	Medium	Full CDD measures applicable to all customers by default
Enhanced Due Diligence (EDD)	High	Additional CDD measures required for high-risk customers

5.1.2 SDD may only be applied where (a) the customer's risk rating is Low; (b) applicable local law does not prohibit SDD; and (c) the MLRO has approved SDD in principle for the relevant customer segment. SDD never reduces the obligation to identify and verify customer identity; it reduces the depth of ongoing monitoring and the frequency of review.

5.1.3 The Group shall not complete onboarding of any customer until CDD obligations applicable to that customer's risk tier have been met, except where the MLRO approves a documented exception under Section 9.

5.2 Standard CDD Requirements¶

5.2.1 Standard CDD shall be applied to all customers unless SDD or EDD applies. Standard CDD requires:

For natural persons: - Full legal name as per government-issued identity document; - Date of birth; - Nationality and country of residence; - Residential address (verified where possible); - Government-issued identity document (passport, national ID card) - original or certified copy, liveness-checked via technology where remote onboarding is used; - Source of funds (stated and risk-assessed); - Purpose of the account/relationship; - PEP screening (Eastnets, supplemented by adverse media checks).

For legal entities: - Full legal name and registered name (if different); - Country and date of incorporation; - Registered office address; - Certificate of incorporation or equivalent; - Memorandum and articles of association or equivalent constitutional documents; - Identification and verification of directors and authorised signatories; - Identification and verification of all UBOs holding 25% or more; - Nature of business and source of funds; - PEP and sanctions screening of all directors, signatories, and UBOs.

5.2.2 Identity verification shall be conducted using reliable, independent source documents, data, or information. The Group shall use electronic verification services where available, supplemented by document review. Remote digital onboarding shall incorporate liveness detection and document authenticity checks.

5.2.3 The Group shall not rely solely on copies of documents submitted by the customer without independent verification where the customer risk level warrants cross-verification.

5.3 Enhanced Due Diligence¶

5.3.1 EDD shall be applied to all customers with a High risk rating and in the following circumstances regardless of composite risk rating:

The customer is identified as a PEP, or is an RCA of a PEP;
The customer is domiciled in, or transacting to/from, a FATF blacklist jurisdiction (currently Iran, North Korea, Myanmar) or a jurisdiction subject to DFSA-imposed enhanced measures;
The customer is a correspondent bank or remittance partner;
The customer is a Virtual Asset Service Provider (VASP);
The customer is a Money or Value Transfer Service (MVTS) operator;
The customer is a non-profit organisation (NPO) or charity;
A previously filed STR is associated with the customer or a materially connected party;
Local law mandates EDD for the relevant customer category.

5.3.2 EDD measures shall include, at minimum, all Standard CDD measures plus:

Senior management approval for onboarding or continuation of the relationship;
Enhanced verification of source of funds and source of wealth, with documentary evidence;
Enhanced understanding of the nature and purpose of the business relationship;
Enhanced ongoing monitoring, with transaction review at increased frequency;
MLRO sign-off on the risk assessment and the decision to proceed;
More frequent periodic review (at least annually for High-risk customers).

5.3.3 For PEPs, EDD shall include:

Confirmation of the current or former public role and the date of cessation (where applicable);
Assessment of the jurisdiction of the public role (domestic or foreign) and the risk implications;
Source of wealth verification - income, assets, investments - with documentary evidence;
Ongoing monitoring for adverse media relating to the PEP and their immediate family;
Senior management approval (minimum: CCO, or MLRO for foreign PEPs);
Annual review regardless of transaction volume.

5.3.4 A foreign PEP (a person who holds or has held a prominent public function in a foreign country) shall always be treated as High risk. A domestic PEP may be assessed at Medium or High risk depending on their role and jurisdiction.

5.4 Beneficial Ownership¶

5.4.1 For all corporate customers and legal arrangements (trusts, foundations, partnerships), the Group shall identify and take reasonable measures to verify the identity of all UBOs, being natural persons who own or control 25% or more of shares or voting rights, or who exercise control through other means.

5.4.2 Where no natural person can be identified meeting the 25% threshold, the Group shall identify the natural person(s) who exercise effective control through other means (management control, right of appointment, contractual authority).

5.4.3 Where a corporate customer is owned by a chain of legal entities, the Group shall trace the ownership chain to identify all natural-person UBOs. The Group shall not accept nominee structures or bearer shares as a substitute for UBO identification.

5.4.4 Where the Group cannot identify the UBO(s) after reasonable enquiry, it shall not onboard the customer, or shall terminate the relationship if already onboarded, and shall consider whether an STR is warranted.

5.4.5 UBO information shall be documented in the customer file and reviewed at each periodic review or following any trigger event that may indicate a change in beneficial ownership.

5.5 Correspondent Banking and Remittance Partners¶

5.5.1 The Group shall apply EDD to all correspondent banking relationships and to all remittance partner relationships through which the Group routes transactions. This includes:

Identification and verification of the correspondent institution and its key principals;
Assessment of the correspondent's regulatory status, AML/CFT regime, and supervisory history;
Understanding of the correspondent's customer base and the nature of transactions expected;
Assessment of whether the correspondent institution is itself subject to regulatory action or adverse supervisory findings;
Senior management approval (minimum: MLRO) for all new correspondent or partner relationships;
Prohibition on establishing or maintaining relationships with shell banks (institutions with no physical presence in any jurisdiction and unaffiliated with a regulated financial group).

5.5.2 The Group shall conduct periodic due diligence reviews of all active correspondent and remittance partner relationships, at minimum annually for medium-risk partners and every six months for high-risk partners.

5.5.3 Where a remittance corridor partner is located in a FATF grey-list or high-risk jurisdiction, the MLRO shall specifically assess the quality of that partner's AML/CFT controls and document the findings before approving the relationship.

6. Ongoing Monitoring and Periodic Review¶

6.1 Transaction Monitoring Programme¶

6.1.1 The Group shall maintain an automated transaction monitoring programme that analyses all transactions in real time and batch mode against defined rules, thresholds, and scenarios. The transaction monitoring system shall be configured and maintained to identify transactions and patterns indicative of ML, TF, or related financial crime.

6.1.2 Transaction monitoring rules and scenarios shall be maintained, reviewed, and tuned by the MLRO and the financial crime analytics function at minimum quarterly. Any rule or scenario with a false positive rate exceeding 95% shall be reviewed and adjusted.

6.1.3 The following transaction monitoring scenarios and thresholds apply across all product lines. Product-line-specific scenarios are set out in Appendix E.

Scenario	Trigger	Priority
Large cash-equivalent transaction	Single transaction exceeding USD 10,000 (or local equivalent)	High
Structuring (smurfing)	Multiple transactions below reporting thresholds that together suggest deliberate splitting	High
Rapid fund movement	Funds received and sent out within 24 hours, with minimal residual balance	High
Geographic anomaly	Transaction to/from a jurisdiction inconsistent with customer profile	Medium
Dormant account activation	Significant transaction activity following extended dormancy	Medium
Velocity anomaly	Transaction frequency or volume materially exceeds expected pattern	Medium
Crypto conversion pattern	Repeated crypto-to-fiat conversions with rapid onward transfer	High
NPO/charity transaction	Transactions to or from registered or unregistered charities, especially cross-border	High
Round-number transaction	Repeated transactions in round amounts, inconsistent with business purpose	Low
Beneficiary concentration	Disproportionate volume to a single beneficiary inconsistent with stated purpose	Medium

6.1.4 Transaction monitoring alerts shall be reviewed by trained compliance analysts. An alert shall not be dismissed without documented rationale. Where an analyst determines that an alert does not require further action, the rationale shall be recorded. Where an analyst escalates an alert, it shall be reviewed by a senior compliance analyst or the MLRO within the timeframes set out in Section 8.

6.1.5 Product-specific transaction monitoring thresholds and scenarios are set out in Appendix E, covering: - Pay-In transactions (card, bank transfer, cash-equivalent methods); - Pay-Out transactions (bank credit, mobile wallet disbursement, cash pickup); - Remittance flows (corridor-specific thresholds and patterns); - Crypto Off-Ramp (conversion events, wallet clustering, layering indicators).

6.2 Periodic Review¶

6.2.1 All customer relationships shall be subject to periodic review at the following minimum frequencies:

Customer Risk Rating	Periodic Review Frequency
Low	Every 3 years
Medium	Every 2 years
High	Annually
PEP	Annually (at minimum)
Correspondent Bank / Remittance Partner	Annually

6.2.2 Periodic review shall include: confirmation and re-verification of identity information, review of transaction history for consistency with the customer's profile, re-assessment of the risk rating, and update of the customer file.

6.2.3 The Group shall maintain a systematic process for scheduling and tracking periodic reviews to ensure no customer file becomes materially overdue. Reviews overdue by more than 90 days for High-risk customers shall be escalated to the MLRO.

6.2.4 In addition to scheduled periodic reviews, a triggered review shall be conducted whenever any of the following occurs: - A material change in transaction behaviour; - Adverse media or intelligence relating to the customer or a materially connected party; - A regulatory alert or watchlist match; - A change in the customer's beneficial ownership or control; - A change in the customer's business activities materially affecting the risk profile; - Receipt of a law enforcement request relating to the customer.

7. Suspicious Transaction Reporting¶

7.1 Obligation to Report¶

7.1.1 The Group is legally obligated to report suspicions of money laundering, terrorist financing, or proliferation financing to the relevant FIU in each jurisdiction. Suspicion does not require certainty, evidence, or proof of criminal activity - it requires only that the Group has knowledge or reasonable grounds to suspect that a transaction or activity involves the proceeds of crime or is connected to ML, TF, or related financial crime.

7.1.2 All employees are under a personal obligation to report their suspicions internally to the MLRO as soon as practicable. Failure to make an internal report where there are reasonable grounds for suspicion may constitute a criminal offence in relevant jurisdictions.

7.1.3 The Group operates a no-retaliation policy. No employee shall be subject to adverse treatment for making a good-faith internal report of suspicion, even if the suspicion is not ultimately substantiated.

7.2 Internal Escalation Process¶

7.2.1 The internal STR escalation process is as follows:

Step 1 - Identification: Any employee who identifies a transaction, activity, customer behaviour, or external event that causes them to suspect ML, TF, or related financial crime shall complete an Internal Suspicious Activity Report (ISAR) and submit it to the MLRO (or their designated deputy) via the Group's secure reporting system or, in the absence of system access, directly in person or by secure communication.

Step 2 - Initial Review: The MLRO (or deputy) shall acknowledge receipt of the ISAR within one business day and conduct an initial triage to determine whether the matter requires investigation or can be resolved on the available information.

Step 3 - Investigation: Where investigation is warranted, the MLRO (or designated financial crime analyst) shall conduct a documented investigation, reviewing the customer file, transaction history, adverse media, screening results, and any other relevant information. The investigation shall be completed within 15 business days of receipt of the ISAR, except where the complexity of the matter or the need for additional information justifies a longer period.

Step 4 - Decision: The MLRO shall make a documented decision: (a) no further action - suspicion not substantiated; (b) suspicious - file STR with the relevant FIU; or (c) refer to law enforcement directly if the situation demands immediate action.

Step 5 - Filing: Where the MLRO determines that an STR is warranted, the report shall be filed with the relevant FIU as soon as practicable and in any event within the timeframe required by applicable law. Filing obligations by jurisdiction are set out in Appendix D.

Step 6 - Post-Filing: Following STR filing, the MLRO shall consider whether the relationship should be suspended or terminated, whether any transactions should be blocked, and whether law enforcement assistance should be requested. These decisions shall be documented.

7.3 Tipping-Off Prohibition¶

7.3.1 Once a suspicion has been identified and an ISAR submitted, or an STR filed with a FIU, no person within the Group shall disclose to the customer or any third party that a suspicion has arisen, that an ISAR or STR has been submitted, or that an investigation is underway. This tipping-off prohibition is an absolute legal obligation in all jurisdictions where the Group operates.

7.3.2 Staff who need to manage the customer relationship during an investigation shall be given guidance by the MLRO on how to interact with the customer without triggering a tipping-off breach.

7.3.3 Consent requests (requests to the relevant FIU for consent to proceed with a transaction or terminate a relationship) shall be managed exclusively by the MLRO.

7.4 Record-Keeping for STRs¶

7.4.1 All ISARs, investigation records, MLRO decisions, and filed STRs shall be retained in accordance with the record-keeping requirements in Section 11, subject to a minimum of six years from the date of filing (DFSA requirement) and seven years where Canadian (FINTRAC) obligations apply.

7.4.2 STR records shall be stored separately from standard customer files, with access restricted to the MLRO, designated compliance staff, and internal audit. STR records shall not be accessible to customer-facing staff or to the individuals under investigation.

8. Roles and Responsibilities¶

8.1 Board of Directors¶

8.1.1 The Board of Directors is ultimately responsible for the Group's AML/CFT programme. The Board shall: - Approve this Policy and any material amendments; - Approve the annual FCRA; - Receive and consider the MLRO's quarterly and annual reports; - Ensure adequate resources are allocated to the AML/CFT function; - Satisfy itself, through independent assurance, that the AML/CFT programme is effective.

8.1.2 The Board shall maintain oversight of the AML/CFT programme through its Risk Committee (or equivalent), which shall receive AML/CFT reporting from the MLRO at each meeting.

8.2 Money Laundering Reporting Officer (MLRO)¶

8.2.1 The MLRO (Shoukat Bizinjo, Global Head of Regulatory Affairs) is the Group's designated senior individual responsible for overseeing the AML/CFT programme. The MLRO shall: - Own, maintain, and update this Policy; - Produce and maintain the annual FCRA; - Review, investigate, and determine the outcome of all ISARs; - File STRs with relevant FIUs as required; - Report to the Board quarterly on the state of the AML/CFT programme, including STR filing statistics, transaction monitoring alert volumes and dispositions, CDD completion rates, and training compliance; - Liaise with regulators on AML/CFT matters, including the DFSA, MAS, FINTRAC, FMU, BFIU, FIU-Nepal, and law enforcement; - Approve EDD decisions for high-risk customers; - Approve all correspondent banking and remittance partner relationships; - Ensure staff training obligations are met; - Maintain direct access to the Board and act independently of commercial pressures.

8.2.2 The MLRO shall have a formally designated deputy MLRO who is authorised to exercise all MLRO functions during the MLRO's absence.

8.3 Chief Compliance Officer (CCO)¶

8.3.1 The CCO is responsible for the Group's overall compliance function, within which the AML/CFT programme sits. The CCO shall support the MLRO, ensure that adequate compliance resources are in place, and report to the Board on compliance matters including AML/CFT.

8.4 Country Compliance Officers¶

8.4.1 Each operating jurisdiction shall have a designated compliance officer or compliance representative responsible for ensuring that the Group's local entity complies with applicable local AML/CFT law. Country compliance officers shall: - Implement the requirements of the relevant jurisdiction-specific annex (Appendix J); - Report suspicious activity to the MLRO; - Liaise with local regulators and FIUs; - Deliver local staff training; - Report to the MLRO on the state of local AML/CFT compliance quarterly.

8.5 Customer-Facing Staff¶

8.5.1 All staff who onboard customers, handle customer queries, process transactions, or otherwise interact with customers are responsible for: - Completing mandatory AML/CFT training as required by Section 10; - Applying CDD procedures as trained and documented; - Identifying and reporting suspicious activity to the MLRO via the ISAR process; - Never facilitating or ignoring suspicious activity under commercial or operational pressure; - Maintaining the confidentiality of all AML/CFT investigations and STR filings.

8.6 Technology and Data Functions¶

8.6.1 The technology and data functions shall support the AML/CFT programme by: - Maintaining and configuring the transaction monitoring system (in coordination with the MLRO); - Ensuring the Eastnets sanctions screening platform is integrated into all relevant transaction flows and customer onboarding journeys; - Maintaining data quality and completeness of all data fields relied upon by transaction monitoring and sanctions screening systems; - Supporting the MLRO in data analysis and investigation.

9. Procedures¶

9.1 Onboarding Procedure¶

9.1.1 The Group's customer onboarding procedure is documented in the KYC Procedure (SGP-FCC-004). This Policy sets out the minimum CDD requirements. Key principles are:

No customer shall be onboarded until minimum CDD for the applicable tier has been completed;
No transaction shall be processed for a newly onboarded customer until sanctions screening has returned no unresolved matches;
Where onboarding is conducted through a third-party agent or white-label partner, the Group shall satisfy itself that the agent/partner applies CDD standards equivalent to those required by this Policy and shall document that assessment. Reliance on a third party's CDD does not transfer ultimate legal responsibility from the Group;
The MLRO shall approve all deviations from standard onboarding timelines or requirements.

9.2 PEP Identification and Screening¶

9.2.1 PEP screening shall be conducted at onboarding and on an ongoing basis using the Eastnets platform, which is configured to check against commercially maintained PEP databases. The Eastnets configuration shall cover: - Domestic PEPs (persons holding prominent public functions in the customer's country of residence); - Foreign PEPs (persons holding prominent public functions in any foreign country); - International Organisation PEPs; - RCAs (close family members and known close business associates of PEPs).

9.2.2 A PEP match shall be treated as a potential positive until cleared through a documented review process. Confirmed PEP identification shall trigger EDD procedures under Section 5.3.

9.2.3 All PEP relationships shall be approved by senior management at a minimum of CCO level, and by the MLRO for foreign PEPs.

9.3 Transaction Monitoring Procedures¶

9.3.1 The transaction monitoring workflow is as follows:

Stage	Responsible Party	Timeframe
Alert generation	Automated (monitoring system)	Real-time / batch
Alert assignment	Compliance analyst queue management	Within 4 hours
L1 review: initial assessment	Compliance analyst	Within 2 business days
L2 review: escalated cases	Senior compliance analyst	Within 3 business days of escalation
L3 review: complex or high-risk	MLRO	Within 5 business days of escalation
ISAR submission	Any staff member / compliance analyst	Immediately upon forming suspicion
MLRO investigation	MLRO / designated analyst	Within 15 business days of ISAR
STR filing	MLRO	As soon as practicable; jurisdiction deadlines apply

9.3.2 All alert dispositions shall be documented with sufficient detail to explain the decision. Alerts closed as false positives shall record the specific reason. Alerts escalated shall record the escalation rationale.

9.4 STR Filing Procedure by Jurisdiction¶

9.4.1 STR filing obligations and FIU contact details by jurisdiction are set out in Appendix D. The following minimum timeline applies in all jurisdictions:

Immediate (same day): MLRO notified of suspicion; transaction blocked or suspended if required;
Within 24 hours: MLRO triage complete; initial determination on STR likelihood;
Within 15 business days: MLRO investigation complete and decision documented;
As soon as practicable following decision to file: STR submitted to relevant FIU.

9.4.2 Where a jurisdiction imposes a shorter filing deadline, that deadline shall prevail. The MLRO shall maintain a jurisdiction-by-jurisdiction timeline matrix (Appendix D).

10. Training and Awareness¶

10.1 Training Obligations¶

10.1.1 All employees within the scope of this Policy shall complete AML/CFT training. Training is mandatory. Non-completion within the prescribed timeframe is a disciplinary matter.

10.1.2 Training requirements by role are:

Role Category	Training Type	Frequency
All employees	AML/CFT Awareness (online module)	Annual
Customer-facing staff	AML/CFT for Frontline Staff (enhanced module including red flags, CDD, reporting)	Annual; additional refresher within 3 months of joining
Compliance and financial crime staff	AML/CFT Technical Training (advanced, including monitoring, investigation, reporting)	Annual; role-specific on any material regulatory change
Senior management (ELT and direct reports)	AML/CFT for Senior Management (governance, oversight, regulatory obligations, personal liability)	Annual
MLRO and deputy	External AML/CFT CPD (minimum 8 hours per annum from accredited providers)	Annual
New joiners (all roles)	Induction AML/CFT training before or within 5 business days of commencing any customer-facing or compliance duties	On joining

10.1.3 Training records shall be maintained by the People function and made available to the MLRO and internal audit on request. Training completion rates by department and jurisdiction shall be reported to the Board annually.

10.1.4 Training content shall be reviewed annually by the MLRO to ensure it reflects current regulatory requirements, typologies, and internal risk profile.

11. Record-Keeping¶

11.1 Minimum Retention Requirements¶

11.1.1 The Group shall maintain records of all CDD information, transaction records, training records, STRs, and related AML/CFT documentation in accordance with applicable law. Minimum retention periods are:

Record Type	Minimum Retention Period
CDD / KYC documentation	6 years from end of relationship (DFSA); 5 years (FINTRAC); jurisdiction-specific where longer
Transaction records	6 years (DFSA); 5 years (FINTRAC); jurisdiction-specific where longer
STRs and investigation records	6 years from date of filing (DFSA); 7 years (FINTRAC)
Training records	5 years
FCRA and supporting documentation	6 years from approval date
Sanctions screening records	6 years

11.1.2 Where multiple retention requirements apply to the same record due to multi-jurisdictional obligations, the longest applicable period shall govern.

11.1.3 Records shall be maintained in a format that allows for their timely retrieval in response to regulatory requests or law enforcement enquiries. Records shall be protected against unauthorised access, alteration, and destruction.

12. Monitoring and Reporting¶

12.1 MLRO Reporting to Board¶

12.1.1 The MLRO shall report to the Board (or its Risk Committee) at minimum quarterly. The quarterly MLRO report shall include: - Summary of STRs filed in the period (jurisdiction, product, amounts, outcomes); - Transaction monitoring alert volumes, disposition rates, and escalation rates; - CDD completion and periodic review status (including overdue reviews); - New high-risk customer onboardings and EDD decisions; - Training completion rates; - Regulatory developments and horizon-scanning summary; - Key risks, emerging trends, and management actions.

12.1.2 The MLRO shall produce an Annual AML/CFT Report, submitted to the Board and available to the DFSA on request, covering the full performance of the AML/CFT programme in the preceding year and the planned programme for the coming year.

12.2 Key Performance Indicators¶

12.2.1 The Group shall track and report the following AML/CFT KPIs:

KPI	Target
AML training completion rate	100% within due date
Transaction monitoring alert review within SLA	≥ 95%
CDD periodic reviews completed on schedule	≥ 98%
STRs filed within regulatory deadline	100%
High-risk customer reviews overdue > 30 days	0
Sanctions screening coverage (% of transactions screened)	100%

13. Independent Testing and Audit¶

13.1 The Group's AML/CFT programme shall be subject to independent testing by the Internal Audit function (Third Line of Defence) at minimum annually. The scope of AML/CFT audit shall include: CDD sampling, transaction monitoring effectiveness, STR process, training compliance, record-keeping, and governance.

13.2 The MLRO shall also commission a periodic independent external review of the AML/CFT programme, at minimum every three years or following a material regulatory finding, enforcement action, or significant change to the business.

13.3 Findings from internal audit and external reviews shall be reported to the Board Risk Committee. Management responses and remediation timelines shall be documented and tracked to closure.

14. Exceptions¶

14.1 Any deviation from the requirements of this Policy requires a documented exception, including: the specific requirement being deviated from; the business justification; the risk assessment; compensating controls; the approving authority; and the time limit on the exception.

14.2 Exception approval authorities are: - Minor procedural deviations (e.g., extended CDD timeline for an existing low-risk customer): CCO; - Material deviations from CDD requirements: MLRO; - Deviations from the Policy itself or from EDD obligations: MLRO with Board Risk Committee notification.

14.3 No exception shall be granted that would place the Group in breach of applicable law or regulation.

14.4 All exceptions shall be logged in the Exception Register, reviewed quarterly by the MLRO, and reported to the Board annually.

Sanctions Screening Policy (SGP-FCC-002)
Counter-Terrorist Financing Procedures (SGP-FCC-003)
KYC Procedure (SGP-FCC-004)
Customer Risk Assessment Framework (SGP-FCC-005)
Outsourcing and Third-Party Management Policy (SGP-OPS-002)
Data Governance Policy (SGP-CDO-001)
Whistleblowing Policy (SGP-GOV-002)
Operational Resilience Policy (SGP-OPS-001)
Code of Conduct

16. Appendices¶

Appendix A: Group Organisational Chart - Compliance and Financial Crime Function

Appendix B: ML/TF Typologies Relevant to Simpaisa's Products and Corridors

Appendix C: Customer Risk Scoring Methodology (summary; full detail in SGP-FCC-005)

Appendix D: STR Filing Obligations, Deadlines, and FIU Contact Details by Jurisdiction

Appendix E: Transaction Monitoring Rules and Scenarios by Product Line

Appendix F: EDD Requirements - PEP and RCA Checklist

Appendix G: Correspondent Banking and Remittance Partner Due Diligence Checklist

Appendix H: Crypto Off-Ramp AML Controls - Additional Requirements

Appendix I: Internal Suspicious Activity Report (ISAR) Form

Appendix J: Jurisdiction-Specific Annexes

Annex J1: UAE / DIFC (DFSA AML Module requirements)
Annex J2: Singapore (MAS PSN01/PSN02 requirements)
Annex J3: Pakistan (SBP AML Regulations and FMU reporting)
Annex J4: Bangladesh (BFIU AML/CFT Guidelines)
Annex J5: Nepal (NRB AML/CFT Unified Directive)
Annex J6: Iraq (CBI AML/CFT Instructions)
Annex J7: United Kingdom (MLR 2017 and FCA Financial Crime Guide)
Annex J8: Canada (FINTRAC PCMLTFA requirements)

POLICY 2: SANCTIONS SCREENING POLICY¶

SIMPAISA GROUP

SANCTIONS SCREENING POLICY

Field	Detail
Document Reference	SGP-FCC-002
Version	1.0
Status	Active
Owner	Money Laundering Reporting Officer (MLRO)
Approver	Board of Directors
Effective Date	1 April 2026
Next Review Date	1 April 2027
Classification	Confidential

Document Control¶

Revision History¶

Version	Date	Author	Changes
0.1	January 2026	MLRO Office	Initial draft
0.2	February 2026	MLRO, Legal, Technology	Internal review; Eastnets configuration review
0.3	March 2026	MLRO	Iraq and Pakistan jurisdiction-specific procedures added; crypto controls integrated
1.0	April 2026	Board of Directors	Board-approved final version

Distribution¶

This policy is classified as Confidential. It is distributed to all Board members, the Executive Leadership Team, all compliance and financial crime staff, all technology staff with responsibility for sanctions screening system configuration, and all country compliance officers. It is available on the internal policy management system. It is not distributed externally except as required by regulatory obligation.

Anti-Money Laundering and Counter-Terrorist Financing Policy (SGP-FCC-001)
Counter-Terrorist Financing Procedures (SGP-FCC-003)
KYC Procedure (SGP-FCC-004)
Operational Resilience Policy (SGP-OPS-001) - screening availability obligations
Data Governance Policy (SGP-CDO-001)

1. Purpose and Scope¶

1.1 Purpose¶

This Sanctions Screening Policy ("Policy") establishes the framework, controls, and procedures by which Simpaisa Group ("Simpaisa" or "the Group") identifies, assesses, and responds to potential exposure to individuals, entities, vessels, and jurisdictions subject to applicable financial sanctions regimes.

Financial sanctions are legal prohibitions imposed by governmental and intergovernmental bodies that restrict or prohibit transactions with designated persons, entities, or countries. Violations of sanctions laws carry severe consequences, including substantial financial penalties, loss of licences, criminal liability for individuals, and reputational damage. The Group's cross-border payment operations create inherent sanctions exposure, which must be systematically identified and managed.

This Policy is designed to: - Define the sanctions regimes applicable to the Group's operations; - Establish mandatory screening requirements at all stages of the customer lifecycle and transaction processing; - Define the technology standards and configuration requirements for the Eastnets sanctions screening platform; - Set out the workflow for handling screening hits, false positives, and true matches; - Ensure that the Group never facilitates transactions for or with sanctioned parties; - Address jurisdiction-specific enhanced sanctions obligations, including Iraq and Pakistan.

1.2 Scope¶

This Policy applies to: - All entities within the Simpaisa Group; - All employees, contractors, and third-party agents involved in customer onboarding, transaction processing, or compliance functions; - All customers - natural persons and legal entities - and their beneficial owners, directors, and authorised signatories; - All transactions processed through any Simpaisa product or service, including Pay-In, Pay-Out, Remittance, Crypto Off-Ramp, and White-Label Wallet; - All correspondent banks, remittance partners, and third-party payment service providers; - All cryptocurrency wallet addresses processed through the Crypto Off-Ramp product.

2. Definitions¶

Term	Definition
Designated Person	An individual or entity whose name appears on an applicable sanctions list, and against whom sanctions restrictions therefore apply.
DFSA	Dubai Financial Services Authority.
False Positive	A screening alert generated by a potential name match that, on review, does not correspond to a designated person.
Fuzzy Matching	A name-matching technique that identifies approximate or phonetic similarities in names, accounting for transliteration variations, spelling differences, and aliases.
IRGC	Islamic Revolutionary Guard Corps - a branch of the Iranian Armed Forces designated as a terrorist organisation by multiple jurisdictions.
List Update	The addition of new designated persons, entities, or jurisdictions to a sanctions list, or the removal (delisting) of previously designated parties.
NACTA	National Counter Terrorism Authority - Pakistan's central counter-terrorism body, which maintains a domestic terrorist designation list.
OFAC	Office of Foreign Assets Control - the U.S. Treasury Department agency responsible for administering and enforcing economic and trade sanctions.
OFSI	Office of Financial Sanctions Implementation - the UK authority within HM Treasury responsible for implementing and enforcing UK financial sanctions.
SDN	Specially Designated Nationals and Blocked Persons List - OFAC's primary list of designated parties.
Sectoral Sanctions	Targeted restrictions imposed by OFAC that prohibit certain types of transactions with designated entities in specific sectors, without a full transaction block.
True Match	A screening alert confirmed, after review, to correspond to a designated person or entity.
VASP	Virtual Asset Service Provider - an entity conducting business activities involving the exchange, transfer, custody, or administration of virtual assets.

3. Policy Statements¶

3.1 Zero Tolerance for Sanctions Violations¶

3.1.1 The Group maintains a zero-tolerance approach to sanctions violations. No transaction shall be processed, no relationship established, and no service provided to any individual or entity that is a designated person under any applicable sanctions regime, unless authorised by the relevant sanctions authority via a specific licence.

3.1.2 The requirement to screen all customers and transactions applies without exception. There are no commercial, operational, or competitive grounds on which sanctions screening may be bypassed or delayed.

3.1.3 If the Eastnets screening system is unavailable for any reason, payment processing shall be suspended in accordance with the requirements of the Operational Resilience Policy (SGP-OPS-001). The Group shall not process transactions without active sanctions screening under any circumstances.

3.2 Applicable Sanctions Regimes¶

3.2.1 The Group screens against the following sanctions regimes as a minimum:

Sanctions Regime	Authority	Lists Screened
United Nations	UN Security Council	UN Consolidated List (pursuant to UNSCR 1267, 1373, 1988, 2253, and successor resolutions)
United States	OFAC (U.S. Treasury)	SDN List; Consolidated Sanctions List; Sectoral Sanctions Identifications (SSI) List
European Union	European External Action Service	EU Consolidated Financial Sanctions List
United Kingdom	OFSI (HM Treasury)	UK Financial Sanctions List
UAE	UAE Supreme Council for National Security	UAE Local Terrorist List; Cabinet Resolution 74 of 2020 list
DIFC / DFSA	DFSA	DFSA sanctions guidance and designated lists
Canada	Global Affairs Canada / FINTRAC	Consolidated Canadian Autonomous Sanctions List; PCMLTFA-mandated lists
Pakistan	NACTA; SBP	NACTA proscribed organisation and individual list; UN list domestic implementation
Bangladesh	Bangladesh Financial Intelligence Unit	UN list implementation; BFIU designated terrorist list

3.2.2 The Group shall not limit its screening to only those regimes where it has a legal obligation arising from the jurisdiction of the transacting customer. Given the Group's USD-denominated settlement flows, OFAC jurisdiction applies to all USD transactions regardless of the nationality of the customer.

3.2.3 The MLRO shall review the list of applicable regimes at least annually and following any major geopolitical event, new designation programme, or regulatory instruction. Any new regime shall be added to the Eastnets configuration within 30 days of the MLRO's determination that it applies to the Group.

4. Screening Triggers¶

4.1 Customer Onboarding¶

4.1.1 Sanctions screening shall be conducted against all sanctions lists before a customer relationship is established or any transaction is processed for a new customer. Screening at onboarding shall cover: - The customer (individual or entity); - All beneficial owners holding 25% or more; - All directors, officers, and authorised signatories of corporate customers; - For remittance transactions: the sending and receiving parties (name, country); - For crypto off-ramp: the originating wallet address.

4.1.2 The onboarding journey shall be designed so that a sanctions screening result is returned before identity verification is marked complete. No account shall be activated until all onboarding screening results have been reviewed and resolved.

4.2 Transaction-Level Screening¶

4.2.1 Every transaction initiated through any Simpaisa product or service shall be screened in real time against all applicable sanctions lists at the point of initiation. Transaction screening shall apply to: - The originating party (customer name, country, account reference); - The beneficiary party (name, country, account reference, bank BIC); - The remittance operator or correspondent bank (where applicable); - The originating wallet address (for crypto transactions).

4.2.2 Transactions shall be held in a processing queue pending a clean sanctions screening result. The Group's systems shall be designed so that a transaction cannot proceed to settlement if it is in a screening hold.

4.3 Periodic Ongoing Screening¶

4.3.1 All active customers shall be screened against all applicable sanctions lists on a periodic basis, independent of transaction activity. Periodic screening shall occur at minimum: - Weekly for high-risk customers and customers transacting in high-risk corridors; - Monthly for standard-risk customers; - Immediately following any new list update received from Eastnets or relevant authorities.

4.3.2 Periodic screening shall cover the same parties as onboarding screening (customer, UBOs, directors, signatories).

4.4 Ad-Hoc Screening on New Designations¶

4.4.1 When the Group receives notification of a new designation (whether via Eastnets automated list updates, a DFSA alert, an OFAC press release, or any other source), the compliance team shall assess whether any existing customer matches the newly designated party. This ad-hoc screening shall be completed within 24 hours of receiving notification of a designation.

4.4.2 The Eastnets platform shall be configured to ingest new list updates automatically and to generate alerts for any new matches against existing customers within the customer database.

5. Screening Technology - Eastnets Platform¶

5.1 Platform Configuration¶

5.1.1 Simpaisa uses the Eastnets eSANCTIONS Screening platform as its primary sanctions screening technology. The platform shall be configured and maintained to the standards set out in this section. Configuration decisions shall be made jointly by the MLRO, the Head of Financial Crime Technology, and the Eastnets account team.

5.1.2 The Eastnets configuration shall: - Integrate all sanctions lists set out in Section 3.2 and automatically update them from authoritative sources; - Be configured to receive and process list updates without manual intervention, at minimum daily; - Apply fuzzy matching to all name fields, with thresholds calibrated in accordance with Section 5.2; - Generate an alert for every potential match for human review; - Maintain a full audit trail of all screening events, alerts, and dispositions; - Be integrated into the customer onboarding journey, the real-time transaction processing pipeline, and the periodic screening batch process.

5.1.3 The Eastnets platform shall be designated as a critical third-party system under the Outsourcing and Third-Party Management Policy (SGP-OPS-002). Availability requirements are governed by the Operational Resilience Policy (SGP-OPS-001), which requires screening to be available at all times payment processing is active.

5.2 Fuzzy Matching Thresholds¶

5.2.1 Fuzzy matching thresholds shall be calibrated to minimise the risk of a true match being missed (false negative) whilst maintaining a manageable false positive rate. The default thresholds applied by the Group are:

Customer Segment	Minimum Match Score for Alert Generation	Rationale
Individual customers - standard	85%	Balance of sensitivity and operational manageability
Individual customers - high-risk / PEP	80%	Increased sensitivity for elevated-risk customers
Corporate customers	80%	Name transliteration variation risk
Remittance beneficiaries (high-risk corridors)	80%	Corridor risk (Iraq, Pakistan)
Crypto wallet addresses	Exact match	Deterministic - no fuzzy matching required

5.2.2 Thresholds shall be reviewed at least quarterly by the MLRO. Any proposal to increase a threshold (reducing sensitivity) must be approved by the MLRO and documented with rationale. Thresholds shall never be increased beyond 90% without Board Risk Committee notification.

5.2.3 In addition to threshold-based matching, the Eastnets platform shall be configured to apply phonetic matching algorithms (Soundex, Metaphone) for all Arabic-script transliterated names, to address the particular challenges of Arabic-to-English name variation common in the Group's operating corridors.

5.3 List Update Frequency¶

5.3.1 Sanctions lists shall be updated in the Eastnets platform: - Automatically, on a continuous basis via Eastnets' list management service; - At minimum daily for OFAC SDN, EU Consolidated, UK OFSI, and UN Consolidated lists; - Within four hours of any emergency designation (where technically feasible) - the MLRO and Head of Financial Crime Technology shall maintain an escalation protocol for emergency designation events.

5.3.2 The MLRO shall maintain a record of list update confirmations from Eastnets, reviewed monthly, to ensure that no list has become stale.

6. Hit Review and Disposition Workflow¶

6.1 Workflow Overview¶

6.1.1 Every sanctions screening alert (hit) shall be reviewed and formally disposed of by a trained analyst. No alert shall be auto-dismissed without human review.

6.1.2 The workflow for hit review is:

Stage	Responsible Party	Timeframe
Alert generation	Eastnets system	Real-time / batch
Initial assessment (L1) - false positive determination	Compliance Analyst	Within 2 business hours for transaction-level hits; within 1 business day for onboarding and periodic hits
Secondary review (L2) - complex or ambiguous cases	Senior Compliance Analyst	Within 4 business hours of L1 escalation
Final determination - potential true match	MLRO	Within 1 business hour of L2 escalation
True match confirmed - blocking and reporting	MLRO	Immediate (see Section 7)

6.2 False Positive Review¶

6.2.1 A false positive determination may be made at L1 or L2 where the analyst can confirm, on the basis of available information, that the matched individual or entity is clearly not the designated party. Grounds for a false positive determination include: - Materially different date of birth (where available); - Different nationality or country of residence in combination with name variation; - Different address and no other corroborating risk factor; - The match is a well-known legitimate entity (e.g., a major bank) clearly not the designated party.

6.2.2 A false positive determination must be documented with the specific reasons for the determination, the data reviewed, and the analyst's identity and timestamp. False positive determinations may not be made on the basis of commercial considerations.

6.2.3 Where an analyst is uncertain whether a determination is a false positive or a true match, the case shall be escalated to the next level. Uncertainty shall always result in escalation, never in a false positive determination.

6.2.4 All false positive dispositions shall be retained in the Eastnets audit trail and shall be subject to periodic quality assurance review by the MLRO or senior compliance staff, to identify potential systematic errors in false positive determination.

6.3 Escalation to MLRO¶

6.3.1 Cases shall be escalated to the MLRO in the following circumstances: - The L1 or L2 analyst cannot exclude the possibility of a true match; - The match involves a FATF blacklist or OFAC SDN-listed jurisdiction; - The match involves a PEP or a person associated with a government-owned entity; - The transaction involves a crypto wallet address on an OFAC-sanctioned addresses list; - The customer is an existing customer with a history of prior alerts; - The L2 analyst disagrees with the L1 determination.

7. True Match Escalation and Response¶

7.1 Immediate Actions¶

7.1.1 Where the MLRO confirms a true match - that is, that a customer, counterparty, or transaction is connected to a designated person or entity - the following immediate actions shall be taken:

Immediate block: The transaction or account shall be blocked immediately. No payment shall be released and no new transaction accepted from or for the designated party.
Asset freeze: Where applicable law requires assets to be frozen (not merely blocked), the MLRO shall initiate the asset freeze process with the relevant regulatory authority.
MLRO notification: The MLRO shall be notified within one hour of the true match determination (or, where the MLRO makes the determination themselves, immediately upon confirmation).
Senior management notification: The CEO and CCO shall be notified by the MLRO within four hours.

7.2 Regulatory Reporting¶

7.2.1 Following a true match, the MLRO shall report to the relevant regulatory authorities as required by applicable law. Reporting obligations by jurisdiction are summarised in Appendix C. Key obligations include:

Jurisdiction	Authority	Reporting Obligation
DIFC / UAE	DFSA; UAE goAML system	Report designated match; comply with DFSA notification requirements
UK	OFSI (HM Treasury)	Report to OFSI; apply for licence if any dealing contemplated
USA (OFAC exposure)	OFAC	Report blocked property; file required OFAC reports
Canada	FINTRAC	Report under PCMLTFA
Pakistan	SBP; FMU	Report under AML Act; comply with UNSCR domestic implementation

7.2.2 The MLRO shall determine whether an STR to the relevant FIU is also required (in addition to, or independent of, sanctions reporting). The STR obligation under AML law is separate from and additional to the sanctions reporting obligation.

7.2.3 The MLRO shall maintain a log of all true matches, regulatory reports, asset freeze actions, and their outcomes.

7.3 Customer Communication¶

7.3.1 Where a true match is confirmed, the MLRO shall determine whether, and in what terms, to communicate with the customer, giving full regard to tipping-off obligations under AML law. In general, the Group shall not inform the customer of the specific reason for blocking.

7.3.2 Commercially-facing communications following a sanctions block shall be coordinated between the MLRO, the CCO, and Legal.

8. Sanctions Evasion Indicators and Red Flags¶

8.1 General Red Flags¶

8.1.1 All staff shall be trained to identify and report the following red flags for potential sanctions evasion:

A customer or counterparty requests that a transaction be structured to avoid a specific screening threshold or named party;
Transactions routed through multiple jurisdictions or entities in a manner that obscures the ultimate originator or beneficiary;
Use of shell companies, nominees, or layered corporate structures with no evident business purpose in high-risk jurisdictions;
Transactions involving jurisdictions, persons, or entities known to be used as conduits for sanctioned parties (e.g., front companies for Iranian or North Korean interests);
Customer provides inconsistent information about the purpose, destination, or parties to a transaction;
Counterparty has a name, address, or other identifying detail that is suspiciously similar to, but not identical to, a designated party;
A corporate customer has ownership or management changes that introduce new parties with sanctions-risk profiles;
Correspondent or remittance partner operates in a jurisdiction where effective sanctions enforcement is absent.

8.2 Crypto-Specific Red Flags¶

8.2.1 For Crypto Off-Ramp transactions, the following additional indicators apply: - Wallet address is associated with known darknet markets, mixers, or sanctioned exchanges; - Transaction originates from a jurisdiction with significant IRGC or DPRK state-sponsored cyber activity; - Wallet clustering analysis indicates association with an OFAC-designated VASP or address; - Rapid conversion of large crypto amounts with no clear business purpose; - Customer refuses to confirm source of cryptocurrency funds.

8.2.2 The MLRO shall maintain an updated list of OFAC-designated wallet addresses and shall ensure this list is integrated into the blockchain analytics tool used for Crypto Off-Ramp screening. The specific blockchain analytics tooling requirements are set out in Appendix D.

9. Correspondent Bank Sanctions Due Diligence¶

9.1 Before establishing any correspondent banking or remittance partner relationship, the Group shall conduct sanctions due diligence on the prospective partner, including: - Screening of the institution and its principals against all applicable sanctions lists; - Assessment of the jurisdiction of incorporation and operation, and the sanctions risk profile of that jurisdiction; - Assessment of the partner's own sanctions compliance programme - whether it maintains an equivalent or adequate screening capability; - Review of publicly available regulatory action or enforcement history relating to sanctions compliance; - Ongoing annual due diligence review of the partner's sanctions compliance posture.

9.2 The Group shall not establish or maintain a correspondent or remittance partner relationship with any entity that is itself subject to sanctions, or where the Group has reasonable grounds to believe the partner does not maintain adequate sanctions screening controls.

10. Jurisdiction-Specific Enhanced Sanctions Procedures¶

10.1 Iraq¶

10.1.1 Iraq presents heightened sanctions risk due to proximity and documented commercial linkages with IRGC-affiliated entities and Specially Designated Global Terrorists (SDGTs) designated under OFAC E.O. 13224. The Group shall apply the following enhanced procedures for all Iraq-corridor transactions:

All Iraqi customers shall be subject to EDD as standard, including enhanced beneficial ownership verification;
All Iraq-origin and Iraq-destination transactions shall be screened against OFAC SDN with a reduced fuzzy matching threshold of 80%;
Transaction monitoring rules for Iraqi customers shall include specific IRGC-adjacency indicators (Appendix E);
The MLRO shall review a sample of at minimum 10% of Iraq-corridor transactions monthly;
No new Iraq-corridor remittance partner relationship shall be established without MLRO and CEO approval;
Any Iraq-corridor transaction above USD 5,000 shall be subject to enhanced beneficiary due diligence;
Transactions involving entities in the Iraqi Kurdistan Region shall be separately flagged and reviewed for compliance with Central Bank of Iraq authorisation requirements.

10.1.2 The MLRO shall maintain awareness of Central Bank of Iraq (CBI) directives restricting transactions with specified entities, and shall ensure these restrictions are reflected in transaction monitoring rules.

10.2 Pakistan¶

10.2.1 Pakistan is a FATF grey-list jurisdiction (under active FATF monitoring) with specific domestic sanctions obligations implemented under the Anti-Terrorism Act 2009. The Group shall apply the following enhanced procedures for Pakistan-corridor transactions:

All customers with Pakistani nationality or a Pakistan-registered remittance destination shall be screened against the NACTA proscribed individuals and organisations list, in addition to standard sanctions lists. The NACTA list shall be updated in Eastnets at minimum weekly;
UNSCR 1267 (ISIL, Al-Qaeda, Taliban) designations shall be specifically highlighted in all Pakistan-corridor screenings;
The Group shall maintain awareness of SBP-issued AML/CFT circulars that designate or restrict specific entities, and shall implement restrictions within 24 hours of SBP notification;
Pakistan-corridor transactions above USD 3,000 shall require enhanced source of funds documentation where the transaction pattern is inconsistent with the customer's profile;
The MLRO shall conduct a specific review of the Pakistan sanctions and AML regime status at each annual FCRA, with reference to Pakistan's FATF action plan compliance progress.

11. Record-Keeping and Audit Trail¶

11.1 The Eastnets platform shall maintain a complete and tamper-proof audit trail of all screening events, including: the name(s) screened; the lists screened against; the match score; the alert generated; the analyst who reviewed; the disposition (false positive or escalation); the MLRO's determination; and any action taken.

11.2 Screening records shall be retained for a minimum of six years (DFSA requirement) or longer where applicable local law requires. The record-keeping requirements of SGP-FCC-001, Section 11 apply to all sanctions screening records.

11.3 The audit trail shall be available to regulators, internal audit, and external auditors on request, and shall be produced in a format that enables regulators to assess the completeness and quality of the Group's screening programme.

12. Staff Training on Sanctions¶

12.1 All employees shall complete sanctions awareness training as part of the AML/CFT training programme set out in SGP-FCC-001, Section 10. Sanctions-specific training modules shall cover: - The key sanctions regimes applicable to the Group; - The consequences of sanctions violations; - How to identify sanctions evasion red flags; - How to escalate a potential sanctions hit; - The tipping-off prohibition in the context of sanctions.

12.2 Compliance analysts responsible for sanctions screening shall complete enhanced sanctions training, including Eastnets platform operation and hit review procedures, within 30 days of assuming screening responsibilities and annually thereafter.

12.3 The MLRO and deputy shall maintain sanctions-specific CPD, including awareness of OFAC regulatory developments, at minimum annually.

13. Annual Sanctions Risk Assessment¶

13.1 The MLRO shall conduct a Sanctions Risk Assessment at minimum annually, as part of or as an annex to the Group-Wide Financial Crime Risk Assessment (FCRA). The Sanctions Risk Assessment shall: - Identify and rate the sanctions risk profile of the Group's products, corridors, and customer segments; - Assess the adequacy of the Eastnets configuration and fuzzy matching calibration; - Review the list of applicable sanctions regimes for completeness; - Assess the quality of false positive review and the risk of true match misidentification; - Review the outcomes of all true matches in the period; - Assess the effectiveness of sanctions training; - Identify and prioritise any gaps or enhancements required.

13.2 The Sanctions Risk Assessment shall be presented to the Board Risk Committee annually.

14. Monitoring and Reporting¶

14.1 Sanctions KPIs¶

14.1.1 The MLRO shall report the following sanctions KPIs to the Board quarterly:

KPI	Target
Sanctions screening coverage (% of transactions screened)	100%
Average alert review time (transaction-level)	< 2 business hours
Average alert review time (onboarding and periodic)	< 1 business day
False positive rate (% of alerts closed as false positive)	Tracked; threshold changes require MLRO sign-off
True matches confirmed in period	Full report to Board
Sanctions training completion rate	100% within due date
List update latency (average delay from authoritative source to Eastnets)	< 24 hours

15. Exceptions¶

15.1 Any deviation from the requirements of this Policy - including any proposal to reduce fuzzy matching sensitivity, reduce the frequency of screening, or defer screening in any circumstances - requires a documented exception approved by the MLRO. No exception shall be granted that would involve processing a transaction without sanctions screening.

15.2 No exception shall permit screening to be bypassed for commercial, operational, or timeline reasons.

15.3 All exceptions shall be logged, reported to the Board Risk Committee quarterly, and reviewed by Internal Audit annually.

Anti-Money Laundering and Counter-Terrorist Financing Policy (SGP-FCC-001)
Counter-Terrorist Financing Procedures (SGP-FCC-003)
KYC Procedure (SGP-FCC-004)
Operational Resilience Policy (SGP-OPS-001)
Outsourcing and Third-Party Management Policy (SGP-OPS-002)

17. Appendices¶

Appendix A: Sanctions Regimes - List of Applicable Lists and Sources

Appendix B: Eastnets Configuration Specification (Restricted - Technology and MLRO only)

Appendix C: Sanctions Regulatory Reporting Obligations by Jurisdiction

Appendix D: Crypto Off-Ramp Blockchain Analytics Tool Requirements and OFAC Wallet Screening Procedure

Appendix E: Iraq-Corridor Enhanced Transaction Monitoring Rules

Appendix F: Pakistan NACTA List Screening Procedure

Appendix G: Correspondent Bank Sanctions Due Diligence Checklist

Appendix H: Sanctions Hit Review - Decision Tree and Documentation Template

POLICY 3: COUNTER-TERRORIST FINANCING PROCEDURES¶

SIMPAISA GROUP

COUNTER-TERRORIST FINANCING PROCEDURES

Field	Detail
Document Reference	SGP-FCC-003
Version	1.0
Status	Active
Owner	Money Laundering Reporting Officer (MLRO)
Approver	Board of Directors
Effective Date	1 April 2026
Next Review Date	1 April 2027
Classification	Confidential

Document Control¶

Revision History¶

Version	Date	Author	Changes
0.1	January 2026	MLRO Office	Initial draft
0.2	February 2026	MLRO, Legal, Country Compliance	Internal review; jurisdiction-specific risk profiles added
0.3	March 2026	MLRO	Travel Rule section integrated; FATF Rec 16 compliance approach confirmed
1.0	April 2026	Board of Directors	Board-approved final version

Distribution¶

This policy is classified as Confidential. It is distributed to all Board members, the Executive Leadership Team, all compliance and financial crime staff, country compliance officers, and all customer-facing and operational staff who require awareness of CTF obligations. It is available on the internal policy management system. It is not distributed externally except as required by regulatory obligation.

Anti-Money Laundering and Counter-Terrorist Financing Policy (SGP-FCC-001)
Sanctions Screening Policy (SGP-FCC-002)
KYC Procedure (SGP-FCC-004)
Customer Risk Assessment Framework (SGP-FCC-005)
Operational Resilience Policy (SGP-OPS-001)

1. Purpose and Scope¶

1.1 Purpose¶

This Counter-Terrorist Financing Procedures document ("Procedures") establishes the specific controls, red flags, procedures, and governance obligations that govern Simpaisa Group's ("Simpaisa" or "the Group") response to the risk of terrorist financing (TF) across its products, corridors, and operating jurisdictions.

Terrorist financing is distinct from money laundering in an important respect: whereas money laundering involves processing the proceeds of crime, terrorist financing may involve the movement of funds that are entirely lawful in origin - donations, savings, legitimate business income - to support terrorist organisations or acts. This distinction means that standard AML transaction monitoring, which focuses on patterns indicative of criminal proceeds, is insufficient on its own to detect TF. Additional, CTF-specific controls are required.

Simpaisa's operating geography - with active presence and significant transaction volumes in Pakistan, Bangladesh, Nepal, and Iraq - creates heightened CTF risk, given the mutual evaluation findings, FATF action plan requirements, and documented terrorist financing typologies in these jurisdictions. The Group accepts that managing this risk is both a legal obligation and an ethical imperative.

These Procedures are designed to: - Define the CTF regulatory framework applicable to the Group; - Identify the heightened CTF risks specific to each jurisdiction of operation; - Establish CTF-specific red flags and monitoring scenarios for each product line; - Define enhanced due diligence requirements for high-risk CTF corridors; - Set out procedures for NPO/charity transaction monitoring; - Define targeted financial sanctions obligations and their relationship to CTF; - Establish CTF-specific STR indicators and reporting obligations; - Define the Group's Travel Rule compliance framework; - Set out training, governance, and annual assessment requirements.

1.2 Scope¶

These Procedures apply to: - All entities within the Simpaisa Group; - All employees, contractors, and third-party agents; - All customers, particularly those transacting in high-risk corridors or using cash-equivalent, crypto, or remittance products; - All transactions - retail, wholesale, crypto, and NPO/charity.

These Procedures are complementary to and must be read in conjunction with SGP-FCC-001 (AML/CFT Policy). The AML/CFT Policy sets out the overarching framework; these Procedures provide the specific CTF controls.

2. Definitions¶

Term	Definition
APG	Asia/Pacific Group on Money Laundering - the FATF-Style Regional Body (FSRB) with jurisdiction over most of Simpaisa's South and Southeast Asian operating jurisdictions.
BFIU	Bangladesh Financial Intelligence Unit - Bangladesh's national FIU.
CBI	Central Bank of Iraq.
CTF	Counter-Terrorist Financing - the set of controls and obligations designed to prevent the Group's products and services from being used to finance terrorism.
FATF	Financial Action Task Force.
FIU	Financial Intelligence Unit.
FMU	Financial Monitoring Unit - Pakistan's national FIU.
IRGC	Islamic Revolutionary Guard Corps - designated as a Foreign Terrorist Organisation (FTO) by the United States and as a terrorist organisation by other jurisdictions.
NACTA	National Counter Terrorism Authority - Pakistan's counter-terrorism body.
NPO	Non-Profit Organisation - charities, trusts, foundations, and similar entities, which FATF Recommendation 8 identifies as particularly vulnerable to TF abuse.
NRB	Nepal Rastra Bank - Nepal's central bank and financial regulator.
Targeted Financial Sanctions (TFS)	Sanctions requiring the immediate freezing of assets and prohibition on making funds available to designated terrorist individuals and organisations, pursuant to UNSCR 1267 and 1373 and successor resolutions.
TF	Terrorist Financing - the provision or collection of funds intended to be used, or knowing that they are to be used, in full or in part, in order to carry out a terrorist act, or by a terrorist organisation.
Travel Rule	The requirement under FATF Recommendation 16 that originator and beneficiary information must be transmitted with cross-border wire transfers and virtual asset transfers above specified thresholds.
UNSCR	United Nations Security Council Resolution.

3. Policy Statements¶

3.1 CTF Commitment¶

3.1.1 The Board of Directors and senior management of Simpaisa Group are committed to ensuring that the Group's products and services are never used to finance terrorism. This commitment applies equally across all jurisdictions of operation, regardless of the legal and regulatory maturity of those jurisdictions.

3.1.2 The Group acknowledges that its cross-border remittance products - in particular those serving the UAE-Pakistan, UK-Bangladesh, and Iraq-Pakistan corridors - are inherently exposed to TF risk. This risk is managed through the controls in these Procedures, in coordination with the AML/CFT Policy and Sanctions Screening Policy.

3.1.3 The MLRO has authority to suspend, block, or terminate any customer relationship or transaction where CTF risk cannot be adequately managed, and to exercise that authority without requiring commercial approval.

3.2 Regulatory Framework¶

3.2.1 The Group's CTF controls are designed to comply with the following primary CTF regulatory framework:

Framework	Key CTF Provisions
FATF Recommendations (2023)	Rec. 5 (TF offence); Rec. 6 (Targeted Financial Sanctions - terrorism); Rec. 7 (Targeted Financial Sanctions - proliferation); Rec. 8 (NPOs); Rec. 16 (Wire Transfers / Travel Rule)
DFSA AML Module	CTF provisions within the Module; DFSA expectations on risk assessment and TFS
UNSCR 1267 (1999) and 2253 (2015)	ISIL and Al-Qaeda sanctions regime; asset freeze and transaction prohibition
UNSCR 1373 (2001)	General counter-terrorism obligations; TFS against terrorism broadly
UNSCR 1988 (2011)	Taliban sanctions regime
Pakistan - Anti-Terrorism Act 2009	Domestic TF offence; proscribed organisations (via NACTA); reporting obligations to FMU
Bangladesh - Anti-Terrorism Act 2009	Domestic TF offence; BFIU reporting obligations
Nepal - Terrorism and Disruptive Activities (Control and Punishment) Act	Domestic TF offence; NRB CTF obligations
Iraq - AML/CFT Law No. 39 of 2015	CBI CTF requirements; TFS implementation
UK - Terrorism Act 2000; Counter-Terrorism Act 2008	UK TF offences; OFSI TFS obligations
Canada - PCMLTFA	FINTRAC TF reporting; Terrorist Property Reporting

3.2.2 The MLRO shall maintain horizon-scanning for changes to CTF regulatory frameworks, with particular attention to FATF mutual evaluation developments in Pakistan, Bangladesh, Nepal, and Iraq.

4. Jurisdiction-Specific CTF Risk Profiles¶

4.1 Pakistan¶

4.1.1 Pakistan presents a heightened CTF risk profile due to: - Pakistan's historical listing on the FATF grey list (FATF-monitored jurisdiction with ongoing action plan commitments); - Documented presence of designated terrorist organisations, including ISIL-K, Al-Qaeda in the Indian Subcontinent (AQIS), Lashkar-e-Taiba (LeT), Jaish-e-Mohammed (JeM), and Tehrik-i-Taliban Pakistan (TTP); - The FMU's CTF reporting framework, which is subject to ongoing FATF assessment; - Pakistan's status as a high-volume remittance-receiving country from the GCC and UK, which creates structural TF exposure in inbound corridors; - NACTA's designation list, which includes individuals and organisations not yet listed on UNSC lists.

4.1.2 Enhanced CTF controls for Pakistan-corridor transactions are set out in Section 8.1.

4.2 Bangladesh¶

4.2.1 Bangladesh presents a heightened CTF risk profile due to: - FATF mutual evaluation findings and APG assessment of CTF control gaps; - Documented domestic and international terrorism threats, including Ansar Al-Islam and Jamaat-ul-Mujahideen Bangladesh (JMB), the latter responsible for the 2016 Holey Artisan Bakery attack; - The Bangladesh–Middle East remittance corridor, which is a documented TF typology channel; - BFIU CTF reporting obligations, which are evolving and subject to FATF follow-up; - Heightened risk of NPO sector abuse for charitable fundraising with terrorist nexus.

4.2.2 Enhanced CTF controls for Bangladesh-corridor transactions are set out in Section 8.2.

4.3 Nepal¶

4.3.1 Nepal presents an elevated CTF risk profile due to: - APG mutual evaluation findings identifying CTF control deficiencies; - Nepal's geographic position as a transit country for persons and funds between South Asia and the Gulf; - NRB CTF requirements that are less developed than FATF standards, requiring the Group to apply its own higher standards; - Risks associated with the Nepal–UAE and Nepal–Malaysia remittance corridors, used by a significant migrant worker population whose transaction behaviour may be used to layer TF-related funds.

4.4 Iraq¶

4.4.1 Iraq presents the highest CTF risk of any jurisdiction in which the Group operates, due to: - Iraq's FATF high-risk or enhanced follow-up status and documented structural weaknesses in the CBI's supervisory capacity; - The documented presence and operations of ISIL within Iraqi territory and the ongoing threat of ISIL reconstitution; - Proximity to Iran and documented IRGC-affiliated militia networks (Popular Mobilisation Forces - PMF) that engage in financial activity within the Iraqi banking system; - CBI restrictions on transactions with certain entities that the Group must implement proactively; - The Iraq–Pakistan corridor, which represents a particularly high-risk TF typology, including hawala-adjacent payment flows.

4.4.2 Iraq-specific enhanced CTF and sanctions controls are set out in Section 8.3 and in the Sanctions Screening Policy (SGP-FCC-002), Section 10.1.

5. CTF-Specific Red Flags and Indicators by Product Line¶

5.1 Pay-In Transactions¶

5.1.1 The following are CTF-specific red flags for Pay-In transactions (inbound payments into Simpaisa-held accounts or wallets):

Funds received from a jurisdiction with a significant designated terrorist organisation presence, inconsistent with the customer's stated purpose;
Multiple small inbound payments from different senders aggregating to a round-number total, consistent with a crowd-funding structure used by some TF typologies;
Funds received from an NPO, charity, or religious organisation without clear invoicing or commercial purpose;
Inbound payment originates from a correspondent bank or MVTS operator known to have weak CTF controls;
Customer immediately requests outbound transfer of received funds to a high-risk CTF corridor without credible business purpose;
Funds received with payment references suggesting a religious cause or donation (e.g., "sadaqah", "zakat") where the recipient is not a verified NPO.

5.2 Pay-Out Transactions¶

5.2.1 The following are CTF-specific red flags for Pay-Out transactions (outbound disbursements):

Payment destined for a jurisdiction or region with known active terrorist organisation activity (conflict zones, FATF blacklist jurisdictions);
Payment to a beneficiary with a name matching, phonetically or closely, a known terrorist organisation or its known fundraising aliases;
Payment to a beneficiary described as a "charity" or "community organisation" without independent verification of legitimate status;
Rapid disbursement of funds to multiple beneficiaries in different high-risk jurisdictions within a short time window;
Beneficiary is an individual whose profile is inconsistent with the stated purpose (e.g., a stated "family support" payment to a non-relative in a conflict zone);
Payment to a mobile wallet in a region where mobile money is a documented TF transfer method.

5.3 Remittance Transactions¶

5.3.1 The following are CTF-specific red flags for remittance transactions:

Remittance to or from Pakistan (particularly from UAE/GCC) where the beneficiary is in a region with documented TTP, LeT, or JeM presence;
Remittance to or from Bangladesh where the amount, frequency, or beneficiary profile is inconsistent with migrant worker earnings;
Remittance to Iraq where the beneficiary is not an identified individual family member and the stated purpose is non-commercial;
Customer uses multiple identities, accounts, or sending names for remittance flows;
Customer explicitly requests that a transaction avoid specific corridors or routing paths to circumvent monitoring;
Sender of funds is located in a jurisdiction where terrorist recruitment or financing activity is known to occur (e.g., certain GCC sub-jurisdictions, parts of sub-Saharan Africa);
Remittance amount is inconsistent with the customer's known income profile by a factor of more than three times without explanation.

5.4 Crypto Off-Ramp Transactions¶

5.4.1 The following are CTF-specific red flags for Crypto Off-Ramp (crypto-to-fiat conversion):

Originating wallet address is linked, via blockchain analytics, to a designated terrorist organisation, darknet market, or sanctioned VASP;
Transaction originates from a jurisdiction where state-sponsored crypto-based TF has been documented (DPRK, Iran);
Customer cannot or will not explain the source of the cryptocurrency funds;
The conversion amount is inconsistent with the customer's KYC profile;
Wallet clustering analysis indicates the originating wallet has received funds from multiple high-risk wallet clusters;
Customer requests conversion proceeds to be disbursed to a beneficiary in a high-risk CTF corridor without plausible commercial or personal reason;
Customer has a pattern of converting small amounts of crypto below reporting thresholds, consistent with structuring.

6. Enhanced Due Diligence for High-Risk CTF Corridors¶

6.1 Designated High-Risk CTF Corridors¶

6.1.1 The following corridors are designated as high-risk CTF corridors requiring enhanced monitoring and due diligence:

Corridor	Risk Basis
Pakistan → Iraq	IRGC-affiliated financial flows; ISIL reconstitution financing risk; hawala-adjacent patterns
Iraq → Pakistan	Reverse direction; same risk basis
UAE → Pakistan	GCC-based fundraising for designated organisations active in Pakistan
UK → Bangladesh	Diaspora-based fundraising for Bangladesh-linked groups; JMB historical precedent
Bangladesh → Middle East	Labour migration combined with TF exposure
Nepal → UAE / Qatar	Migrant worker corridor with documented financial system vulnerability

6.1.2 The MLRO shall review the list of designated high-risk CTF corridors at least quarterly, and update it following any material change in the threat landscape, FATF guidance, or intelligence from FIU cooperation.

6.2 Enhanced CDD for High-Risk Corridors¶

6.2.1 For all customers with transaction activity in a designated high-risk CTF corridor, the following enhanced measures shall be applied in addition to standard CDD:

Mandatory source of funds verification, with documentary evidence (payslip, bank statement, employer letter);
Enhanced beneficiary verification - the customer must confirm the beneficiary's identity and relationship;
Transaction-level review by a compliance analyst for transactions above USD 2,000 in the Iraq–Pakistan corridor and USD 3,000 in other high-risk corridors;
Minimum monthly transaction monitoring review for customers with regular high-risk corridor activity;
Annual CTF-specific enhanced due diligence review for all customers with ongoing high-risk corridor exposure.

6.2.2 For the Iraq–Pakistan corridor specifically, no transaction above USD 1,000 shall be processed without documented MLRO-level review at initial establishment of the customer relationship.

7. NPO and Charity Transaction Monitoring¶

7.1 FATF Recommendation 8 - NPO Risk¶

7.1.1 FATF Recommendation 8 recognises that the NPO sector is particularly vulnerable to abuse for terrorist financing purposes, including through charitable fundraising, diversion of humanitarian funds, and use of NPO bank accounts as conduits for terrorist funds. The Group acknowledges this risk, particularly given its operating corridors to conflict-affected regions.

7.1.2 The Group shall apply a heightened risk rating to all transactions involving NPOs, charities, religious organisations, and foundations. This heightened rating applies regardless of the stated legitimacy of the NPO and regardless of whether the NPO is registered with a national charity regulator.

7.2 NPO CDD Requirements¶

7.2.1 All NPO customers or NPO counterparties shall be subject to: - Full EDD, including identification and verification of all principal officers, trustees, and donors where feasible; - Verification of regulatory registration with the relevant national charity or NPO regulator; - Review of publicly available information about the NPO's activities and geographic reach; - Assessment of whether the NPO operates in, or channels funds to, conflict-affected or high-risk CTF jurisdictions; - MLRO approval for all NPO customer onboardings; - Annual review of all active NPO customer relationships.

7.2.2 The Group shall decline to establish or maintain a relationship with any NPO that: - Cannot demonstrate legitimate regulatory registration in its country of establishment; - Has known or suspected links to designated terrorist organisations; - Operates exclusively in conflict zones without credible operational justification; - Refuses to provide information about the ultimate beneficiaries of its activities.

7.3 NPO Transaction Monitoring¶

7.3.1 All transactions to or from NPO customers or NPO counterparties shall be subject to the following enhanced monitoring:

All transactions of USD 500 or more shall generate an automated monitoring alert for analyst review;
NPO transactions to FATF blacklist or conflict-affected jurisdictions shall be escalated to L2 (Senior Compliance Analyst) automatically;
NPO transactions with payment references suggestive of fundraising or humanitarian aid shall be reviewed for compliance with the Group's NPO corridor risk rules;
Any NPO transaction that cannot be matched to a specific, documented charitable programme shall be escalated to the MLRO.

8. High-Risk Corridor Specific Procedures¶

8.1 Pakistan - Enhanced CTF Procedures¶

8.1.1 In addition to the corridor-level measures in Section 6, the following Pakistan-specific CTF procedures apply:

All Pakistan-bound payments shall be screened against the NACTA proscribed individuals and organisations list, updated at minimum weekly in the Eastnets system;
UNSCR 1267 (ISIL, Al-Qaeda) and UNSCR 1988 (Taliban) lists shall be specifically highlighted in all Pakistan-corridor screening reviews;
All Pakistan-corridor transactions to beneficiaries in Khyber Pakhtunkhwa (KPK), Federally Administered Tribal Areas (FATA), and Balochistan shall be subject to a 100% analyst review regardless of amount;
Any customer identified as a member of, or donor to, a Pakistan-based religious or political organisation shall be subject to MLRO-level approval before their first Pakistan-corridor transaction;
The MLRO shall maintain a quarterly briefing on Pakistan's FATF action plan compliance status and adjust controls accordingly;
STRs relating to suspected TF via Pakistan corridors shall be filed with both the DFSA (UAE entity) and the FMU (where the transaction has Pakistan nexus), as required by applicable law.

8.2 Bangladesh - Enhanced CTF Procedures¶

8.2.1 The following Bangladesh-specific CTF procedures apply:

All Bangladesh-corridor transactions shall be screened against the BFIU's domestic designated terrorist list in addition to international sanctions lists;
Transactions to NGO or charity beneficiaries in Bangladesh shall require BFIU-registered charity documentation and MLRO approval;
The Group shall maintain awareness of BFIU advisories regarding CTF typologies in the Bangladesh corridor and update transaction monitoring rules within 30 days of any advisory;
STRs relating to suspected TF via Bangladesh corridors shall be filed with both the DFSA and the BFIU (Bangladesh entity) as applicable.

8.3 Iraq - Enhanced CTF Procedures¶

8.3.1 The following Iraq-specific CTF procedures apply, supplementing the Iraq sanctions procedures in SGP-FCC-002:

All Iraq-corridor transactions shall be reviewed by a compliance analyst as standard, regardless of amount;
No transaction shall be processed to a beneficiary in areas of Iraq identified as active ISIL operational zones without MLRO approval;
Transactions involving Iraqi entities with names or business descriptions consistent with PMF-affiliated organisations shall be escalated to the MLRO immediately;
The MLRO shall maintain awareness of CBI-issued CTF instructions and implement any required restrictions within 24 hours of notification;
Iraq-corridor customers with transaction patterns inconsistent with stated labour remittance purpose shall be subject to immediate enhanced review;
All Iraq-corridor transactions shall be reported in the MLRO's monthly high-risk corridor transaction summary.

9. Targeted Financial Sanctions¶

9.1 Asset Freezing Obligations¶

9.1.1 Targeted Financial Sanctions (TFS) require the immediate freezing of assets and prohibition on making funds or economic resources available to designated persons. TFS obligations arise under UNSCR 1267, 1373, and 1988 and their successor resolutions, and are implemented domestically in all jurisdictions where the Group operates.

9.1.2 TFS obligations are distinct from general sanctions screening. TFS does not merely require the rejection or holding of a transaction - it requires the active freezing of any funds held or controlled by a designated person and immediate notification to the relevant authority.

9.1.3 Where a true match is identified in a TFS context, the MLRO shall: - Immediately freeze any assets or funds held by or on behalf of the designated person; - Notify the relevant domestic authority (DFSA, OFSI, OFAC as applicable) within the timeframe required by applicable law; - Take no further action with those assets pending regulatory guidance; - File an STR with the relevant FIU; - Document all steps taken and the timeline.

9.1.4 The MLRO shall maintain a record of all TFS freezing events and their regulatory outcomes.

9.2 TFS Screening Integration¶

9.2.1 TFS screening is integrated into the overall Eastnets sanctions screening programme. The UN Consolidated List (which includes UNSCR 1267 and 1988 designations) and domestic implementation lists are all loaded into Eastnets and screened against at onboarding, transaction level, and periodically, as set out in the Sanctions Screening Policy (SGP-FCC-002).

10. CTF-Specific STR Indicators and Reporting¶

10.1 CTF-Specific STR Indicators¶

10.1.1 In addition to the general STR indicators in SGP-FCC-001, the following CTF-specific indicators shall trigger an ISAR and MLRO review:

Transaction or activity matches a known CTF typology documented by FATF, relevant FIU advisories, or law enforcement intelligence;
Customer is identified as, or strongly associated with, a member of a designated terrorist organisation;
Transaction is destined for or originates from a conflict zone, with no plausible personal or commercial explanation;
Customer transaction patterns are consistent with crowdfunding for a cause that may have terrorist nexus, even if the stated purpose is benign;
Customer is an NPO transacting to a jurisdiction where its stated programme activities cannot be independently verified;
Multiple customers with no apparent connection are all transacting to the same beneficiary in a high-risk CTF jurisdiction;
Customer explicitly mentions, in communications or in transaction references, a designated terrorist organisation or a conflict in a way that is inconsistent with legitimate commerce;
Transaction proceeds are likely to be used to purchase weapons, materials, or other items that could support terrorist activity, based on all available information;
A correspondent bank or remittance partner has alerted the Group to potential CTF concerns involving the customer.

10.2 Filing Obligations¶

10.2.1 Where the MLRO determines that a CTF-related STR is required, the report shall be filed with the relevant FIU. In CTF cases, this may require simultaneous or sequential filing with multiple FIUs, depending on the jurisdictions involved.

10.2.2 CTF-related STRs shall be flagged as such in the filing, where the relevant FIU system provides for this (e.g., UAE goAML system, FINTRAC's F-TRAC). CTF-related STRs shall be retained in a dedicated register maintained by the MLRO.

10.2.3 Where the MLRO has reasonable grounds to believe that a customer poses an imminent TF risk, the MLRO may contact law enforcement directly without waiting for the STR investigation process, and shall do so where required by applicable law.

11.1 Law Enforcement Requests¶

11.1.1 The Group shall maintain a documented process for handling requests for information from law enforcement agencies and FIUs. All such requests shall be routed to the MLRO. The MLRO shall: - Log all requests received; - Assess the legal basis for the request under applicable law in the relevant jurisdiction; - Obtain Legal advice where the legal basis is unclear; - Respond within the timeframe required by applicable law or judicial order; - Ensure that response to a law enforcement request does not constitute tipping-off of the customer.

11.1.2 The Group shall cooperate fully with FIUs and law enforcement agencies in CTF investigations, subject only to applicable legal constraints on disclosure.

11.2 FIU Engagement¶

11.2.1 The MLRO shall maintain relationships with the following FIUs relevant to the Group's operating jurisdictions and shall attend FIU outreach events, typology workshops, and mutual evaluation consultations where invited: - UAE goAML / UAE Financial Intelligence Unit (FIU-UAE); - Singapore STR / MAS; - Pakistan FMU; - Bangladesh BFIU; - Nepal FIU; - Canada FINTRAC; - UK National Crime Agency (NCA) - financial intelligence function.

11.2.2 Intelligence received from FIUs regarding TF typologies, specific designations, or emerging risks shall be incorporated into the Group's transaction monitoring rules and CTF risk assessment within 30 days of receipt.

12. Travel Rule Compliance¶

12.1 FATF Recommendation 16¶

12.1.1 FATF Recommendation 16 (the "Travel Rule") requires that financial institutions and VASPs obtain, hold, and transmit originator and beneficiary information with all qualifying cross-border wire transfers and virtual asset transfers. The purpose is to ensure that the information trail needed to investigate ML, TF, and related crime travels with the payment.

12.1.2 The Travel Rule applies to: - All cross-border wire transfers above USD/EUR 1,000 (or local equivalent) initiated through any Simpaisa product; - All virtual asset transfers above USD/EUR 1,000 processed through the Crypto Off-Ramp product; - Domestic wire transfers in jurisdictions where the Travel Rule has been implemented domestically (Pakistan, UAE, UK).

12.2 Required Information¶

12.2.1 For all qualifying cross-border transfers, the Group shall collect and transmit the following originator information: - Full legal name of the originator; - Account number or equivalent unique identifier; - Physical address, national identity number, customer identification number, or date and place of birth.

12.2.2 The following beneficiary information shall be collected and transmitted: - Full legal name of the beneficiary; - Account number or equivalent unique identifier.

12.2.3 For Crypto Off-Ramp and virtual asset transfers, the Group shall comply with applicable VASP Travel Rule requirements, including the use of Travel Rule information-sharing protocols (e.g., TRUST, VerifyVASP, or equivalent) where technically feasible. The MLRO shall assess and select an appropriate Travel Rule solution for virtual asset transfers by 1 July 2026.

12.3 Non-Compliant Counterparties¶

12.3.1 Where the Group receives a wire transfer or virtual asset transfer that does not include the required originator or beneficiary information, the receiving function shall flag the transfer to compliance for review. The MLRO shall determine whether: - The missing information can be obtained from the counterparty; - The transfer should be rejected or returned; - The transfer should be held pending receipt of required information; - An STR is warranted.

12.3.2 The Group shall not accept a pattern of non-compliant transfers from a correspondent or VASP counterparty. A correspondent that repeatedly fails to provide Travel Rule information shall be subject to an enhanced due diligence review, and the MLRO shall consider terminating the relationship.

13. Roles and Responsibilities¶

13.1 Board of Directors¶

13.1.1 The Board shall approve these Procedures and the annual CTF Risk Assessment, receive MLRO reporting on CTF matters, and ensure adequate resources are allocated to CTF controls.

13.2 MLRO¶

13.2.1 The MLRO (Shoukat Bizinjo) shall own these Procedures, maintain the annual CTF Risk Assessment, approve all CTF-related STRs and regulatory reports, approve all high-risk corridor and NPO customer relationships, manage law enforcement requests, and report to the Board on CTF matters.

13.3 Country Compliance Officers¶

13.3.1 Country compliance officers shall implement the jurisdiction-specific procedures in Section 8, maintain awareness of local CTF regulatory developments, file local CTF STRs, and report CTF risks to the MLRO.

13.4 Compliance Analysts¶

13.4.1 Compliance analysts shall review CTF-flagged alerts and ISAR submissions, apply CTF red flag checklists to relevant transaction monitoring alerts, escalate CTF concerns to senior analysts and the MLRO, and maintain documentation of all CTF-related reviews.

13.5 All Employees¶

13.5.1 All employees shall complete CTF training as required by Section 14, report CTF concerns to the MLRO via the ISAR process, and never facilitate transactions where CTF risk has been identified and not resolved.

14. Training on CTF Indicators¶

14.1 CTF-Specific Training¶

14.1.1 CTF training is distinct from general AML training and shall address the specific typologies, indicators, and regulatory obligations unique to terrorist financing. CTF training shall be provided in addition to, not as a substitute for, general AML/CFT awareness training.

14.1.2 CTF training requirements by role:

Role Category	CTF Training Content	Frequency
All employees	CTF awareness: what TF is, how it differs from ML, how to identify basic red flags, how to report	Annual
Customer-facing staff	CTF red flags by product line (as per Section 5); corridor-specific indicators; NPO/charity red flags	Annual; refresher within 3 months of joining
Compliance and financial crime staff	CTF typologies in depth; jurisdiction-specific CTF risk profiles; CTF STR procedures; NPO EDD; Travel Rule	Annual; supplementary on material regulatory change
Senior management	CTF governance; personal liability; Board oversight obligations; FATF developments	Annual
MLRO and deputy	CTF-specific CPD from accredited external providers (minimum 6 hours per annum)	Annual

14.2 CTF training content shall be reviewed by the MLRO annually to ensure it reflects current FATF typologies, jurisdiction-specific risks, and changes to applicable regulatory frameworks.

15. Annual CTF Risk Assessment¶

15.1 Assessment Process¶

15.1.1 The MLRO shall produce an Annual CTF Risk Assessment, either as a standalone document or as a dedicated CTF annex to the Group-Wide Financial Crime Risk Assessment (FCRA). The CTF Risk Assessment shall be completed by 31 March each year and submitted to the Board for approval.

15.1.2 The CTF Risk Assessment shall address: - The CTF risk profile of the Group's products, channels, and customer segments; - The CTF risk profile of each operating jurisdiction, with specific reference to FATF mutual evaluation outcomes, action plan status, and FIU intelligence; - The adequacy of CTF-specific transaction monitoring rules and scenarios; - The adequacy of NPO/charity controls; - The effectiveness of CTF training; - Travel Rule compliance status; - CTF STR statistics and outcomes; - Emerging CTF threats and typologies relevant to cross-border payments fintechs; - Planned enhancements to CTF controls in the coming year.

15.1.3 The CTF Risk Assessment shall specifically assess the following corridors: UAE–Pakistan, UK–Bangladesh, Iraq–Pakistan, Nepal–UAE, and Bangladesh–Middle East. Each corridor shall be assigned an inherent CTF risk rating (Low, Medium, High) and a residual risk rating after controls.

15.1.4 The Board shall be presented with the CTF Risk Assessment at its first meeting following completion, together with the MLRO's recommendation on any required enhancements or resource allocations.

16. Monitoring and Reporting¶

16.1 CTF KPIs¶

16.1.1 The MLRO shall track and report the following CTF-specific KPIs to the Board quarterly:

KPI	Target
CTF training completion rate	100% within due date
High-risk corridor transaction review completion rate	100% within SLA
NPO/charity customer reviews completed on schedule	100%
CTF-related STRs filed within regulatory deadline	100%
Travel Rule compliance rate (qualifying transactions with full originator/beneficiary data)	≥ 99%
CTF alert escalation rate and resolution time	Tracked and reported

16.2 MLRO CTF Reporting¶

16.2.1 The MLRO shall include a dedicated CTF section in the quarterly MLRO Board report, covering: CTF STR activity, high-risk corridor transaction volumes and review outcomes, NPO customer activity, Travel Rule compliance status, and any new CTF threats or regulatory developments.

17. Exceptions¶

17.1 Any deviation from the requirements of these Procedures requires a documented exception approved by the MLRO. Deviations from CTF controls in high-risk corridors require Board Risk Committee notification in addition to MLRO approval.

17.2 No exception shall be granted that would result in a transaction being processed where CTF risk has not been assessed and managed, or where a TFS obligation has not been met.

17.3 All exceptions shall be recorded in the Group's Exception Register, reviewed quarterly by the MLRO, and reported to the Board annually.

Anti-Money Laundering and Counter-Terrorist Financing Policy (SGP-FCC-001)
Sanctions Screening Policy (SGP-FCC-002)
KYC Procedure (SGP-FCC-004)
Customer Risk Assessment Framework (SGP-FCC-005)
Operational Resilience Policy (SGP-OPS-001)
Outsourcing and Third-Party Management Policy (SGP-OPS-002)
Whistleblowing Policy (SGP-GOV-002)

19. Appendices¶

Appendix A: CTF Typologies Relevant to Simpaisa's Products and Corridors - FATF Reference Summary

Appendix B: CTF Red Flag Checklists by Product Line (Pay-In, Pay-Out, Remittance, Crypto Off-Ramp)

Appendix C: High-Risk CTF Corridor Profiles - Detailed Risk Assessments

Appendix D: NPO/Charity Enhanced Due Diligence Checklist and Approval Template

Appendix E: Targeted Financial Sanctions - Asset Freezing Procedure and Notification Templates

Appendix F: Travel Rule Compliance Matrix - Jurisdiction Requirements and Thresholds

Appendix G: CTF-Specific ISAR Supplementary Form

Appendix H: FIU Contact Directory - CTF Reporting Channels by Jurisdiction

Appendix I: Annual CTF Risk Assessment Template

End of Document - Simpaisa Group Financial Crime Compliance Policy Suite (SGP-FCC-001, SGP-FCC-002, SGP-FCC-003)

Version 1.0 | Effective Date: 1 April 2026 | Classification: Confidential

Board-approved 1 April 2026 | Next Review: 1 April 2027

Simpaisa Group - Financial Crime Compliance Policy Suite¶

POLICY 1: ANTI-MONEY LAUNDERING AND COUNTER-TERRORIST FINANCING POLICY¶

Document Control¶

Revision History¶

Distribution¶

Related Policies¶

1. Purpose and Scope¶

1.1 Purpose¶

1.2 Scope¶

2. Definitions¶

3. Policy Statements¶

3.1 Commitment to AML/CFT Compliance¶

3.2 Regulatory Framework¶

3.3 Risk-Based Approach¶

4. ML/TF Risk Assessment Methodology¶

4.1 Group-Wide Risk Assessment¶

4.2 Customer Risk Assessment¶

5. Customer Due Diligence¶

5.1 CDD Framework¶

5.2 Standard CDD Requirements¶

5.3 Enhanced Due Diligence¶

5.4 Beneficial Ownership¶

5.5 Correspondent Banking and Remittance Partners¶

6. Ongoing Monitoring and Periodic Review¶

6.1 Transaction Monitoring Programme¶

6.2 Periodic Review¶

7. Suspicious Transaction Reporting¶

7.1 Obligation to Report¶

7.2 Internal Escalation Process¶

7.3 Tipping-Off Prohibition¶

7.4 Record-Keeping for STRs¶

8. Roles and Responsibilities¶

8.1 Board of Directors¶

8.2 Money Laundering Reporting Officer (MLRO)¶

8.3 Chief Compliance Officer (CCO)¶

8.4 Country Compliance Officers¶

8.5 Customer-Facing Staff¶

8.6 Technology and Data Functions¶

9. Procedures¶

9.1 Onboarding Procedure¶

9.2 PEP Identification and Screening¶

9.3 Transaction Monitoring Procedures¶

9.4 STR Filing Procedure by Jurisdiction¶

10. Training and Awareness¶

10.1 Training Obligations¶

11. Record-Keeping¶

11.1 Minimum Retention Requirements¶

12. Monitoring and Reporting¶

12.1 MLRO Reporting to Board¶

12.2 Key Performance Indicators¶

13. Independent Testing and Audit¶

14. Exceptions¶

15. Related Policies¶

16. Appendices¶

POLICY 2: SANCTIONS SCREENING POLICY¶

Document Control¶

Revision History¶

Distribution¶

Related Policies¶

1. Purpose and Scope¶

1.1 Purpose¶

1.2 Scope¶

2. Definitions¶

3. Policy Statements¶

3.1 Zero Tolerance for Sanctions Violations¶

3.2 Applicable Sanctions Regimes¶

4. Screening Triggers¶

4.1 Customer Onboarding¶

4.2 Transaction-Level Screening¶

4.3 Periodic Ongoing Screening¶

4.4 Ad-Hoc Screening on New Designations¶

5. Screening Technology - Eastnets Platform¶

5.1 Platform Configuration¶

5.2 Fuzzy Matching Thresholds¶

5.3 List Update Frequency¶

6. Hit Review and Disposition Workflow¶

6.1 Workflow Overview¶

6.2 False Positive Review¶

6.3 Escalation to MLRO¶

7. True Match Escalation and Response¶