Simpaisa Group - Financial Crime Compliance Policy Suite¶

POLICY 1: FRAUD MANAGEMENT POLICY¶

SIMPAISA GROUP

FRAUD MANAGEMENT POLICY

Field	Detail
Document Reference	SGP-FCC-003
Version	1.0
Status	Active
Owner	Chief Digital Officer (CDO) / Chief Operating Officer (COO)
Approver	Board of Directors
Effective Date	1 April 2026
Next Review Date	1 April 2027
Classification	Confidential

Document Control¶

Revision History¶

Version	Date	Author	Changes
0.1	January 2026	CDO Office	Initial draft
0.2	February 2026	CDO Office, COO Office, Compliance, Legal	Internal review and revision
0.3	March 2026	Compliance, MLRO	Regulatory alignment review (DFSA, FCA, FINTRAC)
1.0	April 2026	CDO, COO	Board-approved final version

Ownership¶

This Policy has dual ownership reflecting the two principal domains of fraud management:

Chief Digital Officer (Daniel O'Reilly) - responsible for fraud prevention technology, detection system architecture, the Digital Technology Roadmap workstreams relevant to fraud, and technical controls across all product lines.
Chief Operating Officer (Kamil Shaikh) - responsible for operational fraud response, investigation workflow, escalation governance, customer notification, loss management, and regulatory reporting.

Where responsibilities overlap or conflict, the MLRO (Shoukat Bizinjo) serves as arbiter. Where suspected fraud has a financial crime dimension, the MLRO assumes primacy.

Distribution¶

This policy is distributed to all senior management, department heads, Fraud Operations, Technology, Compliance, Legal, and Customer Operations personnel. It is available on the internal policy management system. Appendices containing detection rule parameters and velocity thresholds are classified Restricted and distributed on a strict need-to-know basis to prevent gaming.

AML/CTF Policy (SGP-FCC-001)
Sanctions Compliance Policy (SGP-FCC-002)
KYC/KYB and Customer Onboarding Policy (SGP-FCC-004)
Operational Resilience Policy (SGP-OPS-001)
Data Governance Policy (SGP-CDO-001)
Information Security Policy
Outsourcing and Third-Party Management Policy (SGP-OPS-002)
Merchant Payment Services Agreement (MPSA)
DT Roadmap (Workstream 5 - Fraud and Risk Intelligence)
Simpaisa Group Insurance Programme
Incident Management Policy

1. Purpose and Scope¶

1.1 Purpose¶

This Fraud Management Policy ("Policy") establishes Simpaisa Group's ("Simpaisa" or "the Group") framework for identifying, preventing, detecting, investigating, and responding to fraud across all product lines, customer segments, and jurisdictions in which the Group operates.

Fraud poses a direct threat to the Group's financial integrity, its customers' assets, its regulatory standing, and its reputation. The cross-border, multi-product, and multi-jurisdictional nature of Simpaisa's operations - spanning Pay-Ins, Pay-Outs, Remittances, Crypto Off-Ramping, and White-Label Wallets across nine markets - creates an extensive and varied fraud attack surface that requires a disciplined, structured, and technology-supported approach to management.

This Policy satisfies requirements arising from:

The Dubai Financial Services Authority (DFSA) requirements applicable to the Group's Category 3D licence, including obligations relating to systems and controls, conduct risk, and client asset protection;
The Financial Conduct Authority (FCA) Senior Managers and Certification Regime (SMCR) obligations and Payment Services Regulations 2017 (PSR 2017) applicable to the Group's UK entity;
The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) obligations applicable to the Group's Canadian entity, including suspicious transaction reporting requirements;
The State Bank of Pakistan (SBP) Fraud Risk Management Guidelines applicable to the Group's Pakistani operations;
PCI DSS v4.0 requirements applicable to all entities processing card transactions;
Card scheme rules (Visa, Mastercard) governing fraud monitoring, chargeback management, and merchant liability.

1.2 Scope¶

This Policy applies to:

All legal entities within the Simpaisa Group and all nine subsidiary entities across all operating jurisdictions;
All employees, contractors, and secondees performing functions on behalf of any Simpaisa entity, including technology, operations, customer services, compliance, and finance staff;
All third-party service providers, processors, correspondent banks, and white-label wallet clients whose activities create fraud exposure for the Group;
All product lines: Pay-Ins, Pay-Outs, Remittances, Crypto Off-Ramping (Binance integration), and White-Label Wallets;
All channels: web, mobile application, API, agent, and partner-managed channels;
All customer segments: retail remittance senders, merchants, white-label wallet end-users, and correspondent/partner institutions.

This Policy applies regardless of whether the fraud originates externally (third-party fraud) or internally (employee or insider fraud).

2. Definitions¶

Term	Definition
Account Takeover (ATO)	Unauthorised access to a customer account by a third party, typically achieved through credential theft, phishing, SIM swap, or social engineering, enabling fraudulent transactions.
Adverse Action	A decision by Simpaisa to restrict, suspend, or terminate a customer relationship, merchant agreement, or transaction on the basis of confirmed or suspected fraud.
API Abuse	Exploitation of Simpaisa's or a white-label client's application programming interfaces to perform fraudulent operations, including synthetic account creation, balance manipulation, or unauthorised transaction execution.
Beneficiary Impersonation	A fraud typology in which a fraudster poses as the legitimate intended recipient of a payment to divert funds to a mule or attacker-controlled account.
Card-Not-Present (CNP) Fraud	Fraudulent use of payment card details to initiate transactions in the absence of the physical card, typically through online or API channels.
Chargeback Abuse	The deliberate filing of a chargeback by a cardholder who has in fact received the goods or services (also referred to as first-party fraud or friendly fraud).
Credential Stuffing	An automated attack in which stolen username/password combinations from external data breaches are tested against Simpaisa authentication systems at scale.
False Positive	A transaction or alert flagged as potentially fraudulent by a detection system that is, upon investigation, determined to be legitimate.
Fraud	Any intentional deception, misrepresentation, concealment, or abuse of systems carried out to obtain financial gain, avoid an obligation, or cause financial loss to Simpaisa, its customers, or its partners.
Fraud Rate	The ratio of confirmed fraud losses (gross) to total processed transaction value over a given period, expressed in basis points.
Friendly Fraud	See Chargeback Abuse.
Insider Fraud	Fraud perpetrated by an employee, contractor, or agent who exploits their legitimate access to systems, data, or customer information for personal gain or to benefit a third party.
ML Model	Machine learning model used for anomaly detection and fraud scoring, as described in DT Roadmap Workstream 5.
Money Mule	An individual who, wittingly or unwittingly, receives and transfers fraudulently obtained funds on behalf of a fraudster, typically retaining a commission.
MLRO	Money Laundering Reporting Officer - Shoukat Bizinjo.
Mixing Service	A cryptocurrency service that obfuscates the transaction trail by pooling and redistributing funds, used to conceal the origin of crypto assets.
P1 / P2 / P3 / P4	Priority levels applied to fraud alerts and incidents - see Section 6.1.
Structuring	The deliberate splitting of transactions into smaller amounts to evade reporting thresholds (also referred to as smurfing).
Synthetic Identity	A fabricated identity combining real and fictitious information (e.g., a valid national ID number with a different name and address) used to open accounts and conduct fraud.
VASP	Virtual Asset Service Provider.
Velocity Check	A real-time control that monitors the frequency, volume, or value of transactions from a customer, device, or account over a defined time window and triggers an action if a threshold is breached.

3. Policy Statements¶

3.1 Commitment to Fraud Prevention¶

3.1.1 The Board of Directors accepts ultimate responsibility for the Group's fraud risk management framework and approves this Policy. The Board shall receive a monthly fraud summary report and an annual Fraud Risk Assessment.

3.1.2 Simpaisa shall maintain a zero-tolerance stance toward internal fraud. Any employee found to have perpetrated, facilitated, or concealed fraud shall face summary dismissal and, where appropriate, referral to law enforcement, without prejudice to civil recovery action.

3.1.3 Fraud risk management is a shared responsibility. The CDO owns the technology and prevention infrastructure; the COO owns the operational response and investigation lifecycle; and all employees bear a duty to report suspected fraud promptly.

3.1.4 Fraud controls shall be proportionate to the fraud risk profile of each product and customer segment. Controls shall be calibrated to minimise false positives and avoid unnecessary friction for legitimate customers, whilst maintaining robust protection against material fraud loss.

3.1.5 Fraud prevention and detection shall be embedded into the design and build of all new products and integrations, consistent with the Group's security-by-design and privacy-by-design principles.

3.2 Regulatory and Card Scheme Compliance¶

3.2.1 Simpaisa shall comply with all applicable regulatory obligations relating to fraud reporting, suspicious transaction reporting, and customer notification across each jurisdiction in which it operates.

3.2.2 Simpaisa shall comply with Visa and Mastercard fraud monitoring programme thresholds. Where the Group or any merchant client breaches a card scheme fraud threshold, the Fraud Manager shall notify the COO and CDO within 24 hours and produce a remediation plan within five business days.

3.2.3 Where fraud is suspected to have a money laundering or terrorist financing dimension, the matter shall be referred immediately to the MLRO, who shall assume primacy in determining whether a Suspicious Activity Report (SAR) or equivalent filing is required.

3.3 Customer Protection¶

3.3.1 Where Simpaisa determines that a customer has suffered a loss as a result of fraud on Simpaisa's systems or controls, the Group shall act promptly to assess liability, communicate transparently with the affected customer, and offer appropriate remediation.

3.3.2 Simpaisa shall not use fraud-related adverse actions as a mechanism to avoid legitimate customer disputes or chargeback liabilities.

4. Fraud Risk Taxonomy by Product Line¶

4.1 Pay-Ins¶

Pay-In fraud involves the fraudulent funding of a Simpaisa account or payment instruction, typically where the funds used do not belong to the initiating party.

Fraud Type	Description
Card-Not-Present (CNP) Fraud	Use of stolen card details to fund a Simpaisa account or initiate a payment without the cardholder's knowledge or consent.
Friendly Fraud / Chargeback Abuse	A customer funds a transaction legitimately, receives the service or value, then disputes the charge with their issuing bank, asserting non-receipt or unauthorised use.
Account Takeover (ATO)	A fraudster gains control of a legitimate customer account and initiates Pay-In transactions using the victim's saved payment methods.
Credential Stuffing	Automated testing of credential lists against Simpaisa authentication to gain account access at scale.
Merchant Collusion	A Simpaisa-contracted merchant works in collusion with fraudsters to process fraudulent card transactions and retain the funds, or to generate fictitious transaction volumes.

4.2 Pay-Outs¶

Pay-Out fraud involves the fraudulent diversion of disbursements away from their legitimate destination.

Fraud Type	Description
Beneficiary Impersonation	A fraudster intercepts or substitutes beneficiary account details, redirecting a disbursement to an attacker-controlled account. Common via business email compromise (BEC).
Social Engineering	A customer or employee is manipulated into authorising a payment to a fraudulent beneficiary, often under false pretences of urgency or authority.
Duplicate Disbursement	A legitimate payment instruction is processed more than once due to a system error, API replay attack, or manual processing failure.
Insider Fraud	An employee with disbursement access creates or manipulates payment instructions for personal gain.
Money Mule Accounts	Pay-Out funds are directed to accounts controlled by money mules as part of an organised fraud or money laundering scheme.

4.3 Remittances¶

Remittance fraud exploits the cross-border, high-volume, and time-sensitive nature of Simpaisa's remittance corridors.

Fraud Type	Description
Identity Fraud	A fraudster uses stolen or fictitious identity documents to onboard as a remittance sender, enabling fraudulent or money-laundering transactions.
Structuring / Smurfing	Multiple small remittances are sent by a coordinated group to avoid transaction monitoring thresholds, often to the same or related beneficiaries.
Corridor Manipulation	Exploitation of exchange rate differentials or settlement timing in specific remittance corridors (e.g., PKR, BDT, NPR) to extract value or obscure the origin of funds.
Correspondent Fraud	A correspondent or aggregator partner manipulates transaction flows, volumes, or FX rates to extract value from the Group.

4.4 Crypto Off-Ramp (Binance Integration)¶

Crypto off-ramp fraud exploits the conversion of digital assets to fiat currency, a high-risk typology given the pseudonymous nature of blockchain transactions.

Fraud Type	Description
Stolen Wallet Funds	Proceeds from hacked or compromised cryptocurrency wallets are off-ramped through Simpaisa's Binance integration to convert to fiat before recovery action can be taken.
Mixing Service Obfuscation	Crypto assets that have been passed through a mixing or tumbling service are off-ramped, with the mixing having been used to sever the transaction trail and conceal illicit origins.
Pump-and-Dump Proceeds	Gains from manipulated crypto asset price schemes are off-ramped, constituting fraud proceeds.
Ransomware Laundering	Ransomware payments received in cryptocurrency are off-ramped through Simpaisa, making the Group an unwitting conduit for criminal proceeds.

4.5 White-Label Wallets¶

White-label wallet fraud exploits the intermediated nature of the product, where Simpaisa's systems underlie a client-branded experience and KYC/fraud controls may be distributed between Simpaisa and the white-label client.

Fraud Type	Description
Account Creation Fraud	Mass creation of fraudulent wallet accounts using synthetic or stolen identities to exploit onboarding bonuses, transaction limits, or to establish money mule infrastructure.
Synthetic Identity Fraud	Fabricated identities are used to create wallets that appear legitimate but are operated by fraudsters for financial crime or value extraction.
Balance Manipulation	Exploitation of race conditions, API timing vulnerabilities, or ledger discrepancies to artificially inflate wallet balances.
API Abuse	Fraudulent or abusive use of the white-label client's API integration to perform unauthorised operations, generate fraudulent transactions, or extract data.

5. Fraud Prevention Controls¶

5.1 Transaction-Level Controls¶

5.1.1 Velocity Checks and Transaction Limits

Simpaisa shall maintain a real-time velocity monitoring framework across all product lines. Velocity rules shall be configured, tested, and maintained by the CDO's Technology team in consultation with Fraud Operations. At a minimum, the following velocity dimensions shall be monitored:

Number of transactions per customer per hour, day, and rolling 30-day period;
Cumulative transaction value per customer per day and rolling 30-day period;
Number of unique beneficiaries per sender per day;
Number of failed authentication attempts per account within a defined window;
Frequency of card funding attempts per customer session.

Velocity thresholds are documented in the Fraud Rule Playbook (Restricted). Breaches trigger automated decline, step-up authentication, or case creation depending on the severity tier.

5.1.2 Duplicate Transaction Detection

All payment and disbursement instructions shall pass through a real-time deduplication check comparing transaction fingerprints (amount, beneficiary, reference, timestamp) against a rolling window of recent transactions. Duplicate matches shall be held for human review before processing.

5.1.3 Beneficiary Verification

For Pay-Out and remittance transactions, Simpaisa shall implement account name verification (confirmation of payee or equivalent) where supported by the receiving institution or payment infrastructure. Where name matching is not technically available, enhanced manual review procedures shall apply for high-value transactions.

5.2 Authentication and Device Controls¶

5.2.1 3D Secure Authentication

All card-funded Pay-In transactions processed through Simpaisa's acquiring infrastructure shall use 3D Secure (3DS2 where available) to authenticate the cardholder. Liability shift rules apply in accordance with card scheme regulations. Exemptions to 3DS (e.g., low-value, low-risk transactions) may be applied by the Technology team in accordance with card scheme rules and with Fraud Operations approval.

5.2.2 Device Fingerprinting

Simpaisa shall maintain device fingerprinting across all digital channels (web and mobile) to associate transactions with known devices. Device attributes collected shall include operating system, browser, screen resolution, installed fonts, network characteristics, and other non-PII signals. New device registration events shall trigger enhanced monitoring for a defined post-registration window.

5.2.3 Geolocation Controls

Transaction geolocation data (IP address, GPS where available) shall be collected and assessed against the customer's expected location, device history, and transaction context. Geolocation mismatches (e.g., transaction initiated from a jurisdiction inconsistent with the customer's registration country and device history) shall trigger step-up authentication or case creation.

5.2.4 IP and Device Blocklists

Simpaisa shall maintain dynamic blocklists of IP addresses, device identifiers, and email domains associated with confirmed fraud. Blocklists shall be updated in real-time by the fraud detection system and reviewed by Fraud Operations weekly. Third-party threat intelligence feeds shall be integrated to supplement internal blocklist data.

5.3 Merchant Monitoring¶

5.3.1 Simpaisa shall continuously monitor all contracted merchants for indicators of fraud or collusion, including chargeback ratios, dispute rates, refund patterns, and transaction velocity anomalies.

5.3.2 Merchants shall be subject to the following chargeback thresholds: Visa standard monitoring programme (1.0% chargeback ratio or 100 chargebacks per month); Mastercard excessive chargeback programme (equivalent thresholds apply). Merchants breaching these thresholds shall be placed on a Fraud Watch List and subject to an enhanced monitoring and remediation plan.

5.3.3 New merchants shall be subject to a transaction volume ramp-up programme during the first 90 days, with enhanced monitoring and manual review of anomalous transactions.

6. Fraud Detection¶

6.1 Rule-Based Detection Engine (Real-Time)¶

Simpaisa shall operate a real-time rule-based fraud detection engine that evaluates all transactions against a defined ruleset at the point of initiation. The engine shall assign each transaction a fraud risk score and apply one of the following outcomes:

Outcome	Condition
Pass	Transaction meets all rules; processed normally.
Step-Up	Transaction meets threshold for additional authentication; customer prompted for step-up verification.
Hold	Transaction meets review threshold; placed in manual review queue pending analyst assessment.
Decline	Transaction meets decline threshold; rejected in real-time with appropriate customer message.

The fraud rule library is maintained by the CDO's Technology team in the Fraud Rule Playbook (Restricted). Rule changes shall be subject to a defined change control process requiring Fraud Operations approval and regression testing before deployment to production.

6.2 ML-Based Anomaly Detection (Planned)¶

As part of DT Roadmap Workstream 5 (Fraud and Risk Intelligence), Simpaisa plans to deploy machine learning-based anomaly detection to supplement rule-based controls. The ML layer will provide:

Behavioural anomaly detection at the customer and entity level;
Graph-based network analysis to identify coordinated fraud rings and mule account clusters;
Dynamic fraud scoring that adapts to emerging typologies without rule reconfiguration.

Until the ML system is deployed and validated, the Group shall rely on enhanced manual review procedures and augmented rule sets for typologies best suited to ML detection. The CDO shall report quarterly to the Board on the delivery status of Workstream 5.

6.3 Manual Transaction Review Triggers¶

In addition to automated detection, transactions shall be referred to manual review when:

The transaction value exceeds a defined threshold for its product category;
A new customer's first transaction falls within a high-risk category or corridor;
Customer behaviour deviates materially from established transaction patterns;
A customer service agent or compliance officer flags a transaction as suspicious;
A chargeback or dispute is received that matches a pattern associated with fraud typologies;
A transaction involves a sanctioned or PEP-adjacent counterparty flagged during real-time screening.

6.4 Merchant Monitoring¶

Chargeback and dispute data shall be aggregated daily per merchant. The Fraud Operations team shall review merchants with elevated ratios weekly and escalate merchants breaching card scheme thresholds to the COO within 24 hours. A formal merchant fraud review shall be conducted quarterly for all merchants with chargeback ratios exceeding 0.5%.

7. Fraud Investigation Procedures¶

7.1 Alert Triage and Priority Classification¶

All fraud alerts, whether system-generated or manually raised, shall be assigned a priority level at triage based on the following criteria:

Priority	Criteria	Initial Response SLA
P1 - Critical	Active fraud in progress; real-time financial loss occurring; systemic attack; potential for material financial or reputational harm.	Immediate - Fraud Manager engaged within 15 minutes.
P2 - High	Confirmed fraud; loss has occurred but attack vector is contained; individual high-value case (above defined threshold).	2 hours - Senior Analyst engaged within 2 hours.
P3 - Medium	Suspected fraud pending investigation; moderate-value case; pattern consistent with known typology.	8 business hours - Analyst assigned within 8 hours.
P4 - Low	Anomalous activity requiring investigation; no confirmed loss; low-value case; precautionary hold.	2 business days - Analyst assigned within 2 business days.

P1 and P2 cases shall be notified immediately to the COO. P1 cases shall be notified to the CDO concurrently.

7.2 Investigation Workflow¶

Step 1 - Alert Receipt and Triage. The Fraud Operations analyst receives the alert, applies the priority classification, and creates a case record in the case management system within the applicable SLA.

Step 2 - Initial Review. The assigned analyst reviews transaction data, account history, device and geolocation data, authentication logs, and any available third-party intelligence. The analyst shall document their findings and preliminary assessment in the case record.

Step 3 - Customer Contact (where appropriate). For cases where the customer may be a victim (e.g., ATO, social engineering), the analyst shall contact the customer promptly to verify the transactions and, if fraud is confirmed, initiate protective measures (account freeze, card block, beneficiary blacklist).

Step 4 - Escalation to Senior Analyst. Where the initial analyst cannot confirm or rule out fraud within their authority level, or where the case exceeds their individual value threshold, the case is escalated to a Senior Analyst.

Step 5 - Escalation to Fraud Manager. The Fraud Manager assumes oversight of all P1 and P2 cases, and any case where a Senior Analyst recommends escalation. The Fraud Manager has authority to direct account suspension, merchant termination, and law enforcement referral within their authority limits.

Step 6 - Escalation to MLRO (where financial crime suspected). Where the investigation reveals indicators that the fraud may have a money laundering, terrorist financing, or sanctions evasion dimension, the Fraud Manager shall refer the matter to the MLRO without delay. From this point the MLRO determines the compliance response, including SAR/STR filing obligations. The fraud investigation may continue in parallel but shall not take any action that prejudices the MLRO's financial crime response.

Step 7 - Case Closure. Cases are closed by the Fraud Manager (or Senior Analyst within their authority) upon completion of investigation, with a documented outcome: Confirmed Fraud, Suspected Fraud (Unresolved), False Positive, or No Fraud. Closure documentation shall include the loss amount (if any), recovery amount, controls triggered or failed, and any recommended control improvements.

7.3 Evidence Preservation¶

7.3.1 All evidence collected during a fraud investigation shall be preserved in an unaltered state in the case management system. Evidence includes transaction logs, authentication records, device data, communication records, and any documentary evidence provided by the customer.

7.3.2 Where law enforcement referral is anticipated or has been made, evidence preservation shall comply with the chain-of-custody standards required by the relevant jurisdiction's law enforcement agency.

7.3.3 Evidence records shall be retained for a minimum of seven years from case closure, or longer where required by applicable law or regulatory obligation.

7.4 Customer Notification¶

7.4.1 Where a customer is identified as a victim of fraud on Simpaisa's platform, the relevant operational team shall notify the customer promptly, providing clear information about the incident, the protective measures taken, and any actions required from the customer.

7.4.2 Customer notification shall comply with data breach notification obligations under applicable law (including UAE Federal Data Protection Law, UK GDPR, and Canadian PIPEDA) where the fraud incident involved a breach of personal data.

7.4.3 Customer notifications shall be approved by the Fraud Manager before issue. For P1 cases, the COO shall approve the notification.

7.5 Law Enforcement Referral¶

7.5.1 The Fraud Manager, in consultation with the COO and Legal, shall refer confirmed fraud cases to the relevant law enforcement authority where:

The fraud loss exceeds the defined law enforcement referral threshold;
The fraud involves organised criminal activity or evidence of a wider scheme;
Law enforcement referral is required under applicable regulatory obligation;
Law enforcement cooperation is necessary to effect asset recovery.

7.5.2 Law enforcement referrals shall be coordinated with the MLRO where there is a financial crime dimension, to ensure consistency with any concurrent SAR or STR filing.

7.5.3 Referral thresholds and relevant law enforcement contacts by jurisdiction are documented in Appendix A.

8. Fraud Loss Management¶

8.1 Loss Recovery Procedures¶

8.1.1 Upon confirmation of fraud loss, Fraud Operations shall initiate loss recovery procedures without delay. Recovery mechanisms include:

Transaction recall or reversal (where processing has not yet settled);
Chargeback filing via the card scheme (for CNP fraud on Pay-In transactions);
Correspondent recall request (for remittance transactions in transit);
Asset freezing and recovery (where a court order or law enforcement freeze is available);
Civil recovery action against identified fraudsters or mule account holders.

8.1.2 Recovery efforts shall be documented in the case record, including recovery amounts, timelines, and outcomes.

8.2 Merchant Liability¶

8.2.1 Fraud losses attributable to merchant conduct, merchant system failures, or merchant failure to implement required controls shall be assessed against the merchant for recovery in accordance with the applicable Merchant Payment Services Agreement (MPSA).

8.2.2 The Fraud Manager shall prepare a formal liability assessment for all fraud cases where merchant liability may apply, in consultation with Legal. The assessment shall be provided to the COO for approval before any liability claim is asserted against a merchant.

8.3 Insurance Claims¶

8.3.1 Where a fraud loss is potentially covered under Simpaisa's insurance programme, the Finance team shall be notified by the Fraud Manager within two business days of loss confirmation, and a claim shall be assessed in accordance with the terms of the relevant policy.

8.3.2 Insurance claim procedures are documented in the Simpaisa Group Insurance Programme. The CDO and CFO jointly manage insurance relationships and claim escalations.

8.4 Write-Off Authority¶

Fraud losses that cannot be recovered shall be written off in accordance with the following authority matrix:

Loss Amount	Write-Off Authority
Up to USD 5,000	Fraud Manager
USD 5,001 – USD 25,000	COO
USD 25,001 – USD 100,000	CEO
Above USD 100,000	Board of Directors

All write-offs shall be recorded in the fraud loss register and reported to the Board in the monthly fraud summary report. Write-offs are subject to post-incident review to determine whether control improvements are required.

9. Fraud Reporting¶

9.1 Internal Reporting¶

Report	Frequency	Content	Audience
Fraud Operations Dashboard	Daily	Alert volumes, open cases by priority, confirmed losses, detection system status	Fraud Manager, COO, CDO
Fraud Committee Report	Weekly	Case summaries, emerging typologies, KPI trends, control performance, escalations	Fraud Committee (COO, CDO, MLRO, Fraud Manager, Head of Compliance)
Board Fraud Summary	Monthly	Fraud rate by product, total losses, recovery rate, material cases, regulatory notifications, KPI vs target	Board of Directors
Annual Fraud Risk Assessment	Annual	Comprehensive assessment of fraud risk across all product lines; control effectiveness; benchmarking; forward-looking typology analysis	Board, Risk Committee

9.2 External Reporting¶

9.2.1 Regulatory Reporting. Simpaisa shall make all required regulatory fraud disclosures in each jurisdiction, including:

UAE/DIFC: DFSA material incident notifications where fraud constitutes an operational incident meeting notification thresholds;
UK: FCA payment fraud reporting (if and when FCA reporting requirements apply to the UK entity's regulated activities);
Canada: FINTRAC suspicious transaction reports where fraud indicates proceeds of crime;
Pakistan: SBP fraud incident reporting as required under applicable SBP circulars;
Bangladesh: BFIU fraud-related suspicious transaction reporting.

9.2.2 Card Scheme Reporting. Simpaisa shall comply with Visa and Mastercard reporting requirements for fraud incidents exceeding scheme-defined thresholds, including Visa's Fraud Reporting System (VFRS) and Mastercard's equivalent obligations.

9.2.3 Law Enforcement Reporting. As described in Section 7.5.

10. Fraud Key Performance Indicators¶

Simpaisa shall track and report the following KPIs at the frequency indicated:

KPI	Definition	Target	Reporting Frequency
Fraud Rate - Pay-In	Confirmed fraud losses as % of Pay-In transaction value (bps)	< 5 bps	Monthly
Fraud Rate - Pay-Out	Confirmed fraud losses as % of Pay-Out transaction value (bps)	< 3 bps	Monthly
Fraud Rate - Remittances	Confirmed fraud losses as % of remittance transaction value (bps)	< 4 bps	Monthly
Fraud Rate - Crypto Off-Ramp	Confirmed fraud losses as % of crypto off-ramp value (bps)	< 8 bps	Monthly
False Positive Rate	Transactions declined or held by fraud controls that are subsequently confirmed as legitimate, as % of all flagged transactions	< 15%	Weekly
Alert-to-Investigation SLA Adherence	% of alerts investigated within the applicable P1-P4 SLA	> 95%	Weekly
Detection-to-Resolution Time (P1)	Average time from P1 alert generation to case closure	< 4 hours	Monthly
Detection-to-Resolution Time (P2)	Average time from P2 alert generation to case closure	< 24 hours	Monthly
Recovery Rate	% of confirmed fraud losses recovered (gross)	> 30%	Monthly
Chargeback Ratio (merchant portfolio)	Chargebacks as % of merchant transactions (volume)	< 0.8%	Monthly
Write-Off Ratio	Write-offs as % of total fraud losses	Reported only	Monthly

Targets shall be reviewed annually as part of the Annual Fraud Risk Assessment and adjusted to reflect changes in product mix, market conditions, and fraud typology trends.

11. Roles and Responsibilities¶

Role	Responsibility
Board of Directors	Ultimate accountability for fraud risk; approval of this Policy; receipt of Monthly Fraud Summary and Annual Fraud Risk Assessment.
Chief Digital Officer	Ownership of fraud prevention technology and detection systems; DT Roadmap Workstream 5 delivery; device and authentication controls; technical escalations.
Chief Operating Officer	Ownership of operational fraud response; investigation workflow governance; law enforcement and regulatory fraud reporting; customer notification; loss management and write-off authority.
MLRO	Financial crime interface; primacy where fraud has AML/CTF dimension; SAR/STR filing decisions; DFSA and regulatory coordination.
Fraud Manager	Day-to-day management of fraud operations; P1 and P2 case oversight; escalation decisions; report production; merchant fraud monitoring.
Senior Fraud Analyst	Investigation of P2 and P3 cases; escalation recommendations; rule library input.
Fraud Analyst	Alert triage; P3 and P4 case investigation; customer contact for victim cases.
Head of Compliance	Regulatory fraud reporting coordination; policy maintenance; training oversight.
Technology Team (CDO)	Fraud detection system maintenance; rule deployment; ML roadmap delivery; device intelligence.
Finance	Insurance claim management; fraud loss accounting; write-off processing.
Customer Operations	First-line fraud alert receipt from customers; case creation and referral to Fraud Operations; customer notification execution.
White-Label Clients	Contractual obligation to implement required fraud controls within their customer-facing layer; reporting of fraud incidents to Simpaisa within agreed timelines.

12. Monitoring and Review¶

12.1 Fraud Committee¶

Simpaisa shall maintain a standing Fraud Committee meeting weekly, chaired by the COO, with membership including the CDO, MLRO, Fraud Manager, and Head of Compliance. The Committee shall review the weekly fraud report, discuss emerging typologies, assess control effectiveness, and make decisions on escalations, rule changes, and merchant actions.

12.2 Annual Fraud Risk Assessment¶

The CDO and COO shall jointly commission an Annual Fraud Risk Assessment, covering:

Fraud typology landscape and emerging risks by product line and corridor;
Assessment of the effectiveness of prevention, detection, and investigation controls;
Review of KPI performance against targets;
Benchmarking against industry fraud rates where data is available;
Review of internal and external fraud incidents and near-misses;
Forward-looking risk assessment and control improvement recommendations.

The Annual Fraud Risk Assessment shall be presented to the Board for approval within Q1 of each calendar year.

12.3 Policy Review¶

This Policy shall be reviewed annually by the CDO and COO, or upon any material change in: fraud typology landscape; product or channel additions; regulatory requirements; or a material fraud incident that reveals a control gap. Amendments require Board approval.

13. Exceptions¶

Any exception to the controls, procedures, or limits set out in this Policy must be documented, risk-assessed, and approved by the COO (for operational controls) or CDO (for technology controls), with notification to the MLRO and Head of Compliance. No exception shall be approved that would expose the Group to a risk of regulatory breach. Exceptions shall be logged in the Policy Exception Register and reported to the Board at the next quarterly cycle.

14. Staff Awareness and Anti-Fraud Culture¶

14.1 All Simpaisa employees shall complete mandatory fraud awareness training upon joining the Group and annually thereafter. Training shall cover: recognising social engineering and phishing; internal fraud indicators and reporting obligations; the Group's zero-tolerance stance on internal fraud; customer fraud victim protocols.

14.2 Employees in roles with material fraud exposure (Fraud Operations, Customer Operations, Finance, Technology) shall complete role-specific fraud training that addresses the fraud typologies most relevant to their function.

14.3 Simpaisa shall maintain a culture in which employees feel empowered and obligated to report suspected fraud through the Whistleblowing Policy (SGP-GOV-002) without fear of retaliation. Anonymous reporting channels shall be available.

14.4 The MLRO and Fraud Manager shall deliver an annual fraud awareness briefing to the Executive Leadership Team and Board covering emerging typologies, industry developments, and the Group's fraud performance.

AML/CTF Policy (SGP-FCC-001)
Sanctions Compliance Policy (SGP-FCC-002)
KYC/KYB and Customer Onboarding Policy (SGP-FCC-004)
Operational Resilience Policy (SGP-OPS-001)
Outsourcing and Third-Party Management Policy (SGP-OPS-002)
Data Governance Policy (SGP-CDO-001)
Information Security Policy
Whistleblowing Policy (SGP-GOV-002)
Code of Conduct and Ethics (SGP-GOV-005)
Incident Management Policy

Appendices¶

Appendix A - Law Enforcement Referral Thresholds and Contacts by Jurisdiction¶

Jurisdiction	Referral Threshold	Primary Law Enforcement Authority	Regulatory Notification
UAE/DIFC	AED 50,000 (or discretion below)	Dubai Police Economic Crime Department / CBUAE	DFSA (material incident)
Pakistan	PKR 500,000	Federal Investigation Agency (FIA) Cyber Crime Wing	SBP
Bangladesh	BDT 500,000	Bangladesh Police Cyber Crime Unit	BFIU
Nepal	NPR 500,000	Nepal Police Cyber Bureau	NRB
Iraq	IQD 5,000,000	Iraqi Federal Police	CBI
Canada	CAD 10,000	Royal Canadian Mounted Police (RCMP)	FINTRAC (STR)
UK	GBP 5,000	Action Fraud / National Crime Agency (NCA)	FCA (if applicable)

Referral thresholds are minima. Discretionary referrals below threshold may be made where the nature or pattern of fraud warrants law enforcement engagement.

Appendix B - Fraud KPI Dashboard Template¶

[Maintained by Fraud Operations. Updated daily in the operational fraud management system. Weekly version distributed to Fraud Committee. Monthly aggregated version included in Board Fraud Summary Report.]

Appendix C - Fraud Rule Playbook¶

[Classified: Restricted. Maintained by CDO Technology team. Access limited to: CDO, Fraud Manager, Senior Fraud Analysts, and designated Technology engineers. Not distributed externally. Version-controlled within the fraud detection system configuration repository.]

Appendix D - Annual Fraud Risk Assessment Template¶

[Template document maintained by Compliance. Assessment produced jointly by CDO and COO. Reviewed and approved by Board annually.]

---¶

POLICY 2: KYC/KYB AND CUSTOMER ONBOARDING POLICY¶

SIMPAISA GROUP

KYC/KYB AND CUSTOMER ONBOARDING POLICY

Field	Detail
Document Reference	SGP-FCC-004
Version	1.0
Status	Active
Owner	Money Laundering Reporting Officer (MLRO)
Approver	Board of Directors
Effective Date	1 April 2026
Next Review Date	1 April 2027
Classification	Confidential

Document Control¶

Revision History¶

Version	Date	Author	Changes
0.1	January 2026	MLRO Office	Initial draft
0.2	February 2026	MLRO, Compliance, Legal, CDO Office	Internal review and revision
0.3	March 2026	MLRO	Jurisdiction-specific annex drafting and regulatory alignment
1.0	April 2026	MLRO	Board-approved final version

Ownership¶

This Policy is owned by the Money Laundering Reporting Officer (MLRO), Shoukat Bizinjo. The MLRO is responsible for maintaining, updating, and enforcing this Policy across all Simpaisa entities and product lines. The CDO supports delivery of technology-enabled KYC controls. Country Compliance Officers are responsible for implementing jurisdiction-specific requirements as set out in the Jurisdiction Annexes (Section 12).

Distribution¶

This Policy is distributed to all senior management, Compliance, Legal, Technology, Operations, Sales, and Onboarding personnel. It is available on the internal policy management system. Detailed risk scoring matrices and screening system configuration parameters are classified Restricted and distributed to Compliance and Technology teams on a need-to-know basis.

AML/CTF Policy (SGP-FCC-001)
Sanctions Compliance Policy (SGP-FCC-002)
Fraud Management Policy (SGP-FCC-003)
Data Governance Policy (SGP-CDO-001)
Outsourcing and Third-Party Management Policy (SGP-OPS-002)
DFSA Anti-Money Laundering Module (AML)
UAE Federal AML Law (Federal Decree-Law No. 20 of 2018 and Cabinet Decision No. 10 of 2019)
FATF Recommendations (2012, updated 2023)
UK Money Laundering Regulations 2017 (as amended)
FINTRAC Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA)
Merchant Payment Services Agreement (MPSA)
White-Label Wallet Client Agreements

1. Purpose and Scope¶

1.1 Purpose¶

This KYC/KYB and Customer Onboarding Policy ("Policy") establishes Simpaisa Group's ("Simpaisa" or "the Group") framework for conducting Know Your Customer (KYC) and Know Your Business (KYB) due diligence across all customer types, product lines, and jurisdictions. It sets out the Group's approach to customer risk classification, due diligence measures, beneficial ownership identification, ongoing monitoring, and de-risking, consistent with the FATF Recommendations, applicable local AML/CTF legislation, and the Group's Category 3D DFSA licence obligations.

The Policy ensures that Simpaisa does not knowingly onboard or maintain relationships with customers whose activities or profiles pose unacceptable financial crime risk, whilst enabling the Group to serve legitimate customers - including underbanked populations in frontier markets - efficiently and fairly.

This Policy satisfies requirements arising from:

The Dubai Financial Services Authority (DFSA) Anti-Money Laundering Module (AML) applicable to the Group's DIFC entity and Cat 3D licence;
UAE Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and the relevant Cabinet Decisions;
The UK Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017), as amended;
FINTRAC's Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and associated regulations applicable to the Group's Canadian entity;
The State Bank of Pakistan (SBP) AML/CFT Regulations 2020 and KYC guidelines;
Bangladesh Financial Intelligence Unit (BFIU) AML/CFT Circular and Bangladesh Bank KYC guidelines;
Nepal Rastra Bank (NRB) AML/CFT Guidelines and KYC Framework;
Central Bank of Iraq (CBI) AML/CTF Instructions;
FATF Recommendations (2012, updated 2023), including FATF Guidance on Digital Identity and FATF Guidance for a Risk-Based Approach to Virtual Assets.

1.2 Scope¶

This Policy applies to:

All legal entities within the Simpaisa Group, including all nine subsidiary entities across all jurisdictions;
All employees, contractors, and secondees involved in customer onboarding, due diligence, screening, monitoring, or account management;
All customer types: (a) individual retail customers (remittance senders); (b) merchants (corporate customers, including cross-border e-commerce and in-market merchants); (c) white-label wallet end-users (where KYC is performed by or delegated from Simpaisa); (d) correspondent and partner institutions (including aggregators, sub-processors, and banking partners);
All product lines: Pay-Ins, Pay-Outs, Remittances, Crypto Off-Ramping (Binance integration), and White-Label Wallets;
All channels: digital self-onboarding, agent-assisted onboarding, API-integrated onboarding (for white-label clients), and in-person (where applicable in frontier markets).

This Policy does not apply to Simpaisa employees (governed by HR policies) or to the Group's own banking relationships (governed by the AML/CTF Policy - SGP-FCC-001).

2. Definitions¶

Term	Definition
Beneficial Owner (BO)	Any natural person who ultimately owns or controls a customer entity, or on whose behalf a transaction is conducted. Ownership threshold: 25% for FATF-standard jurisdictions; 10% for jurisdictions applying a lower threshold (see Jurisdiction Annexes).
BFIU	Bangladesh Financial Intelligence Unit.
Business Relationship	An arrangement between Simpaisa and a customer intended to have an element of duration, as distinct from an occasional transaction.
CBI	Central Bank of Iraq.
CDD	Customer Due Diligence - the standard suite of identity verification, address verification, sanctions screening, and PEP screening applied to all customers.
CNIC	Computerised National Identity Card (Pakistan).
Correspondent Institution	A financial institution or licensed payment service provider with which Simpaisa has a formal arrangement to process transactions, provide liquidity, or operate as an intermediary.
Customer	Any natural person or legal entity that has or seeks to establish a business relationship with Simpaisa or that conducts an occasional transaction with any Simpaisa entity.
De-risking	The decision to exit, restrict, or decline a customer relationship on the grounds of unacceptable financial crime risk, where effective risk mitigation is not feasible.
DFSA	Dubai Financial Services Authority.
EDD	Enhanced Due Diligence - additional due diligence measures applied to high-risk customers and relationships.
Emirates ID	UAE national identity document issued by the Federal Authority for Identity and Citizenship (ICA).
FCA	Financial Conduct Authority (United Kingdom).
FINTRAC	Financial Transactions and Reports Analysis Centre of Canada.
KYB	Know Your Business - the process of verifying the identity, ownership, control, and legitimacy of a corporate customer or legal entity.
KYC	Know Your Customer - the process of verifying the identity of a natural person customer and assessing their risk profile.
MLR 2017	Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (UK).
MLRO	Money Laundering Reporting Officer - Shoukat Bizinjo.
NADRA	National Database and Registration Authority (Pakistan).
NID	National Identity Document (Bangladesh - National ID card).
NRB	Nepal Rastra Bank.
Occasional Transaction	A transaction that does not form part of a business relationship; a one-off or isolated transaction with a customer with no ongoing relationship.
Onboarding	The process by which a prospective customer is assessed, verified, and admitted as a customer of Simpaisa.
PEP	Politically Exposed Person - an individual who is or has been entrusted with a prominent public function, including heads of state, senior politicians, senior government officials, judicial officials, senior military officials, senior executives of state-owned enterprises, and members of the governing bodies of international organisations. Includes domestic and foreign PEPs.
Prohibited Customer	A customer category that Simpaisa will not onboard under any circumstances - see Section 5.
Risk Appetite	The level and type of financial crime risk the Board is willing to accept in pursuit of the Group's strategic objectives.
SAR	Suspicious Activity Report - a report made to the relevant financial intelligence unit (FIU) disclosing known or suspected money laundering, terrorist financing, or proliferation financing.
SBP	State Bank of Pakistan.
SDD	Simplified Due Diligence - a reduced standard of due diligence applied to demonstrably low-risk customers and products.
Source of Funds (SoF)	The origin of the funds used in a specific transaction or relationship, e.g., salary, business revenue, sale of property.
Source of Wealth (SoW)	The origin of a customer's overall wealth or net worth, as distinct from the source of funds for a specific transaction.
UBO	Ultimate Beneficial Owner - the natural person(s) at the end of the ownership chain who ultimately own or control a legal entity.
VASP	Virtual Asset Service Provider - a provider of services involving the exchange, transfer, or custody of virtual assets.

3. Policy Statements¶

3.1 Risk-Based Approach¶

3.1.1 Simpaisa's approach to KYC and KYB is risk-based. The intensity of due diligence applied to any customer or relationship is commensurate with the assessed level of financial crime risk that customer or relationship presents to the Group.

3.1.2 The risk-based approach does not mean that lower-risk customers receive no due diligence. All customers shall be subject to a minimum standard of identity verification and screening. Risk assessment determines whether additional measures are required above that minimum.

3.1.3 The MLRO maintains ultimate responsibility for the integrity of the Group's risk-based approach and shall maintain documented risk appetite statements, scoring methodologies, and calibration records.

3.2 Zero Onboarding of Prohibited Customers¶

3.2.1 Simpaisa shall not onboard any customer who falls within a Prohibited Customer category as defined in Section 5.2. This prohibition is absolute and may not be overridden by any commercial consideration.

3.3 Regulatory Compliance¶

3.3.1 Simpaisa shall comply with all applicable KYC/KYB regulatory requirements across each jurisdiction in which it operates. Where local requirements exceed FATF standards, the local standard shall apply in that jurisdiction.

3.3.2 Where two or more regulatory frameworks apply to the same customer (e.g., a UAE merchant transacting into Pakistan), the more stringent standard shall apply unless the MLRO determines a justified basis for applying a lesser standard consistent with both frameworks.

3.4 No Circumvention¶

3.4.1 No employee, officer, or director of any Simpaisa entity shall take any action to circumvent, bypass, or improperly expedite the KYC/KYB process for any customer, including for commercial reasons.

3.4.2 Any request to onboard a customer without completing applicable due diligence shall be refused and reported to the MLRO.

4. Customer Risk Classification¶

4.1 Risk Categories¶

All customers shall be assigned to one of four risk categories at onboarding, based on the risk scoring methodology in Section 4.2:

Risk Category	Description	Due Diligence Level
Low	Customer and relationship present indicators of low financial crime risk. Transaction volumes, geographies, and customer type are consistent with low-risk profiles.	Simplified Due Diligence (SDD)
Medium	Customer and relationship present standard financial crime risk requiring standard controls. The majority of Simpaisa customers fall within this category.	Standard Customer Due Diligence (CDD)
High	Customer or relationship presents elevated financial crime risk indicators - e.g., high-risk country, PEP status, complex ownership, cash-intensive business, or unusual transaction patterns.	Enhanced Due Diligence (EDD)
Prohibited	Customer falls within a category that Simpaisa will not onboard or maintain.	Rejection - no onboarding.

4.2 Risk Scoring Methodology¶

Each prospective customer shall be assessed across the following risk factor dimensions, with each dimension contributing a weighted score to an overall Customer Risk Score. The risk scoring matrix is maintained by the MLRO in the Customer Risk Scoring Model (Restricted).

4.2.1 Geography Risk

The customer's country of residence, nationality, country of business registration, and the remittance corridors used are assessed against:

FATF High-Risk Jurisdictions (subject to increased monitoring) and Non-Cooperative Jurisdictions (subject to call for action);
UK HM Treasury and EU sanctioned or high-risk third countries;
DFSA and UAE Cabinet Decision country classifications;
Simpaisa's internal country risk register (reviewed quarterly by the MLRO).

Countries with weak AML/CTF regimes, high corruption indices (Transparency International CPI), or significant narcotics trafficking or terrorist financing risk attract a higher geography score.

4.2.2 Product and Channel Risk

Risk varies materially across Simpaisa's product lines:

Product / Channel	Inherent Risk Level
Remittances (individual)	Medium - high volume, cross-border, migrant worker demographic
Pay-Ins (card, bank)	Medium - established authentication but CNP fraud risk
Pay-Outs (domestic)	Medium-Low - typically employer/merchant disbursements
Crypto Off-Ramp	High - pseudonymous origin of funds, VASP counterparty risk
White-Label Wallet (client-managed KYC)	High - KYC delegation risk, limited visibility of end-user
Agent-based onboarding	High - reduced direct identity verification controls
Digital self-onboarding with biometric verification	Low-Medium - strong identity assurance

4.2.3 Transaction Volume and Pattern Risk

Customers whose anticipated or actual transaction volumes, frequencies, or values are disproportionate to their stated purpose, occupation, or business activity attract elevated risk scores. Specific indicators include:

Transaction volumes inconsistent with customer profile or business sector;
Rapid growth in transaction activity shortly after onboarding;
High concentration of transactions to a single beneficiary or jurisdiction;
Regular transactions just below reporting thresholds.

4.2.4 Industry and Business Activity Risk

For corporate customers, the nature of the business activity is assessed for inherent financial crime exposure:

Industry / Activity	Risk Level
Money services businesses (MSBs), FX brokers, payment aggregators	High
Gambling, gaming, adult content platforms	High
Arms, defence, dual-use goods	High / Prohibited
Cryptocurrency exchanges, VASPs	High
Cash-intensive retail (hospitality, petrol stations)	Medium-High
Charities, non-profit organisations	Medium-High
Professional services (legal, accountancy)	Medium
E-commerce, retail (non-cash)	Low-Medium
Regulated financial institutions (banks, insurers)	Low (subject to correspondent institution checks)

4.2.5 Ownership Structure Risk

Corporate customers with complex, multi-layered, or opaque ownership structures - including structures involving bearer shares, nominee shareholders, or trusts in secrecy jurisdictions - attract elevated risk scores. Structures that obscure the identity of UBOs attract the highest score within this dimension.

4.2.6 PEP and Adverse Media Status

The presence of a PEP - as customer, UBO, director, or authorised signatory - elevates the customer to High Risk by default, regardless of other scoring outcomes. Significant adverse media (credible allegations of financial crime, corruption, fraud, or serious regulatory sanction) elevates risk in proportion to the severity and credibility of the media.

4.3 Risk Review and Reclassification¶

Customer risk classifications shall be reviewed:

Upon periodic review (as per Section 10);
Upon any material change in customer profile, transaction behaviour, business activity, or ownership;
Upon receipt of an adverse media alert, sanctions alert, or PEP match;
At the direction of the MLRO.

Reclassification to a higher risk category shall trigger the due diligence requirements applicable to that category within 30 days of reclassification.

5. Customer Categories and Prohibited Customers¶

5.1 Customer Categories¶

Simpaisa serves the following customer types, each subject to the due diligence framework described in this Policy:

Customer Type	Description
Individual Retail Customer	Natural person using Simpaisa (or a white-label wallet) for personal remittance or payment purposes.
Merchant (SME)	Small or medium-sized business entity onboarded to accept payments via Simpaisa's Pay-In infrastructure.
Merchant (Enterprise)	Large business entity or multinational with complex corporate structure, onboarded via enhanced KYB.
White-Label Wallet Client	A business entity that licences Simpaisa's wallet infrastructure and serves its own end-users. KYC of end-users may be delegated - see Section 11.
Correspondent Institution	A financial institution or licensed PSP with which Simpaisa has a formal correspondent or partnership arrangement.

5.2 Prohibited Customers¶

Simpaisa shall not onboard, and shall exit any existing relationship with, any customer who falls within the following prohibited categories:

Prohibited Category	Basis
Sanctioned persons and entities (any jurisdiction)	Absolute regulatory prohibition; sanctions compliance
Terrorist organisations and designated individuals	Absolute regulatory prohibition; terrorist financing
Countries subject to comprehensive sanctions (North Korea, Iran, Syria, Russian-occupied territories)	Regulatory prohibition under UAE, UK, EU, and US sanction regimes
Shell companies with no determinable legitimate business purpose	Excessive financial crime risk
Anonymous or bearer share companies where UBO cannot be identified	FATF and local regulatory requirement
Unlicensed money service businesses or unlicensed VASPs	Regulatory prohibition; financial crime risk
Businesses involved in arms dealing, weapons manufacture, or dual-use goods	Prohibited under Simpaisa risk appetite
Businesses with direct or indirect operations in sanctioned territories	Sanctions compliance
Any person or entity previously exited by Simpaisa for financial crime reasons	Risk appetite

6. Simplified Due Diligence (SDD)¶

6.1 Eligibility Criteria¶

SDD may be applied only where all of the following conditions are met:

The customer's risk score falls within the Low risk category under Section 4.2;
The product used is not a Crypto Off-Ramp or a White-Label Wallet where KYC has been delegated to the client;
No PEP, sanctions, or adverse media match has been returned during screening;
Transaction values and frequencies fall within the defined SDD thresholds;
There is no indication of unusual transaction patterns or circumstances that would otherwise suggest a higher risk profile.

SDD is not available as an option for correspondent institutions, which require at minimum Standard CDD plus correspondent-specific checks.

6.2 Minimum SDD Requirements¶

Where SDD eligibility is confirmed, the following minimum requirements shall be met before a customer relationship is established or a transaction is processed:

Verification of the customer's full legal name;
Verification of the customer's date of birth (individuals) or company registration number (legal entities);
Collection of a valid government-issued identification document reference (individuals) - physical verification may be deferred at SDD level for low-value transactions below defined thresholds;
Real-time sanctions screening against applicable sanctions lists;
PEP screening - if any match is returned, SDD is immediately ineligible and Standard CDD applies;
Recording of the transaction purpose and, where applicable, the anticipated source of funds.

6.3 SDD Thresholds and Limits¶

Parameter	Limit
Maximum single transaction value	USD 500 (or equivalent)
Maximum cumulative 30-day transaction value	USD 1,500 (or equivalent)
Available product lines	Remittances, Pay-Ins (personal, non-card), Pay-Outs (personal)
Excluded products	Crypto Off-Ramp, White-Label Wallets (delegated KYC), Merchant onboarding

SDD customers who breach these thresholds shall be automatically escalated to Standard CDD. The Compliance team shall review SDD eligibility calibration quarterly.

7. Standard Customer Due Diligence (CDD)¶

7.1 Identity Verification¶

All customers subject to Standard CDD shall have their identity verified through the following:

7.1.1 Individual Customers:

Full legal name - verified against a government-issued primary identity document (passport, national identity card, driving licence where accepted in the relevant jurisdiction);
Date of birth - verified against the primary identity document;
Residential address - verified against a secondary document (utility bill, bank statement, or government correspondence not more than three months old) or through an electronic verification source;
Nationality and country of birth - recorded;
A clear copy of the primary identity document shall be obtained and retained. Where identity is verified through a digital verification service, the verification result, data extracted, and confidence score shall be retained.

7.1.2 Corporate Customers:

Full legal name of the entity - verified against a current certificate of incorporation or equivalent official document;
Registered address and principal place of business;
Company registration number;
Date of incorporation and jurisdiction;
Articles of association or equivalent constitutional documents;
Names and identity of all directors.

7.2 Address Verification¶

Address verification shall be conducted for all individual customers at Standard CDD level:

Residential address verified through a secondary document or electronic database check;
For high-value customers (above defined transaction thresholds), address verification shall be through at least two independent sources;
Where electronic address verification is used, the verification provider must be approved by the MLRO, and the verification result and timestamp shall be retained in the customer record.

7.3 Source of Funds¶

Source of funds declaration and verification shall be required for:

Individual customers whose cumulative 30-day transaction value exceeds USD 3,000 (or equivalent);
All merchant customers upon onboarding;
All correspondent institution customers;
Any customer where the transaction pattern is inconsistent with the stated source of funds.

Source of funds shall be documented by the customer (e.g., salary, business revenue, property sale) and, at Standard CDD level, accepted without independent documentary verification unless risk indicators suggest otherwise. Documentary verification of SoF is required at EDD level (Section 8).

7.4 Sanctions Screening¶

All customers shall be screened against applicable sanctions lists in real-time at onboarding and on an ongoing basis:

UN consolidated sanctions list;
OFAC SDN and Sectoral Sanctions lists;
EU consolidated sanctions list;
UK HM Treasury Financial Sanctions list;
UAE local terrorist list and applicable Cabinet Decision lists;
DFSA-applicable sanctions lists;
Any other lists required by applicable local regulation.

Sanctions screening shall be performed against the customer's full name (including all known aliases), date of birth, and country. Where a match is returned, the transaction or onboarding shall be blocked pending investigation by Compliance. Confirmed matches shall be referred immediately to the MLRO.

7.5 PEP Screening¶

All customers shall be screened for PEP status at onboarding:

Screening shall cover the customer, their directors and authorised signatories (for corporate customers), and UBOs;
PEP screening shall use a commercially provided PEP database (approved by the MLRO);
A confirmed PEP match shall trigger reclassification to High Risk and the application of EDD as set out in Section 8;
Family members and close associates (FCA) of confirmed PEPs shall also be flagged and subject to EDD.

7.6 Adverse Media Screening¶

At Standard CDD level, adverse media screening shall be conducted at onboarding using a structured search of commercially available adverse media databases or open-source intelligence (OSINT). Material adverse media - credible reports of financial crime, corruption, fraud, sanctions violations, or serious regulatory action - shall be escalated to Compliance for assessment. Where adverse media is sufficiently serious, the customer shall be reclassified to High Risk.

8. Enhanced Due Diligence (EDD)¶

8.1 EDD Triggers¶

Enhanced Due Diligence is mandatory where any of the following conditions apply:

EDD Trigger	Basis
Customer is resident in, or transacts to/from, a FATF high-risk or non-cooperative jurisdiction	Regulatory requirement
Customer is a PEP, or is connected to a PEP (family member or close associate)	Regulatory requirement (all jurisdictions)
Customer has a complex, multi-layered, or opaque corporate ownership structure	Elevated financial crime risk
Customer's transaction patterns are unusual, inconsistent with stated profile, or exhibit structuring indicators	Elevated financial crime risk
Customer is a VASP or involved in crypto-related activities (including the Binance off-ramp)	Elevated financial crime risk; FATF Guidance on Virtual Assets
Customer is a correspondent institution classified as high-risk	Regulatory and risk appetite requirement
Customer operates in a high-risk industry (see Section 4.2.4)	Elevated financial crime risk
Adverse media match of significant credibility and severity	Elevated financial crime risk
Manual referral by Compliance, MLRO, or senior management	Discretionary

8.2 EDD Requirements¶

Where EDD is triggered, the following requirements apply in addition to all Standard CDD requirements:

8.2.1 Source of Wealth Verification. The customer shall provide documentary evidence of the origin of their overall wealth (e.g., employment contract and payslips, audited financial statements, property sale contracts, inheritance documentation). The MLRO or designated Compliance officer shall assess the plausibility and consistency of the SoW evidence.

8.2.2 Enhanced Source of Funds. Documentary evidence of the specific source of funds for transactions in the relationship shall be obtained and verified against available third-party data.

8.2.3 Ownership and Control Structure Mapping. For corporate customers, a complete and verified ownership and control chart shall be obtained, showing all entities in the ownership chain down to the natural person UBOs. Each UBO shall be individually verified.

8.2.4 Senior Management Approval. Onboarding of any EDD customer requires approval from the MLRO (for individuals) or the MLRO and the COO (for corporate customers). No EDD customer shall be onboarded without documented approval.

8.2.5 Enhanced Ongoing Monitoring. EDD customers shall be subject to enhanced transaction monitoring - a higher sensitivity ruleset, lower transaction alert thresholds, and a more frequent periodic review cycle (annual, as per Section 10).

8.2.6 Enhanced Adverse Media Monitoring. EDD customers shall receive ongoing automated adverse media monitoring with alerts reviewed by Compliance monthly.

8.2.7 Site Visits (High-Risk Merchants). For high-risk corporate merchant customers (high-risk industry, high transaction volumes, complex structures), a site visit or equivalent verification exercise shall be conducted before onboarding or within 60 days of provisional onboarding. Site visit findings shall be documented in the customer file.

9. Beneficial Ownership¶

9.1 UBO Identification Standard¶

For all corporate customers, Simpaisa shall identify and verify the identity of all ultimate beneficial owners (UBOs):

9.1.1 Standard Threshold. Any natural person who owns or controls, directly or indirectly, 25% or more of the shares or voting rights of the corporate customer shall be identified and verified as a UBO. This threshold applies in all jurisdictions unless a lower threshold is required by local regulation.

9.1.2 Lower Threshold Jurisdictions. In jurisdictions where local regulation requires identification of UBOs at a lower threshold, that threshold shall apply:

Jurisdiction	UBO Threshold
UAE/DIFC	25% (DFSA standard)
UK	25% (PSC regime under Companies Act 2006)
Canada	25% (PCMLTFA regulations)
Pakistan	25% (SBP AML/CFT Regulations)
Bangladesh	25% (BFIU guidance)
Nepal	25% (NRB KYC Framework)
Iraq	25% (CBI instructions; lower where CBI guidance evolves)

Where no natural person meets the applicable threshold, the most senior managing official(s) of the corporate customer shall be identified and verified as the controller.

9.1.3 Control Test. In addition to the ownership threshold, Simpaisa shall identify and verify any natural person who exercises control over the corporate customer through other means, including: the right to appoint or remove the majority of directors; significant influence over management decisions; or control over a trust or nominee arrangement through which the entity is held.

9.2 UBO Verification Requirements¶

Identified UBOs shall be verified through:

Provision of a government-issued identity document (as per Section 7.1.1 for individuals);
Cross-referencing against company registry filings, shareholder registers, or official ownership declarations;
Sanctions screening and PEP screening against all identified UBOs.

9.3 Exemptions for Listed Companies¶

Where a corporate customer is listed on a recognised and regulated stock exchange - and is subject to disclosure obligations that ensure transparency of ownership - full UBO verification may be streamlined subject to:

Confirmation of listing and regulatory jurisdiction;
Verification that the exchange is on Simpaisa's approved list of recognised exchanges (maintained by the MLRO);
Identification of any material shareholders (above the applicable threshold) that may be PEPs or sanctioned parties;
Standard CDD (at minimum) on the entity itself.

This exemption does not apply where there are indicators of risk that suggest the listed status is being used to obscure beneficial ownership.

9.4 Nominee Shareholders and Trusts¶

Where a corporate customer's ownership chain includes nominee shareholders or trust arrangements:

The nominee arrangement shall be disclosed and documented;
The identity of the nominator (the natural person on whose behalf the nominee holds) shall be identified and verified;
The trust deed or equivalent instrument shall be obtained;
The trustee, settlor, and all beneficiaries of the trust shall be identified.

10. Merchant and Corporate KYB¶

10.1 Company Registration Verification¶

All corporate merchant customers shall provide, and Simpaisa shall verify, the following:

Certificate of incorporation (or equivalent) from the relevant company registry;
Current registered address and principal place of business;
Articles of association or equivalent constitutional documents;
List of current directors and authorised signatories;
Evidence of regulatory licences or approvals required for the business activity (e.g., e-commerce licences, payment institution licences, gambling licences).

Where possible, company registry verification shall be conducted electronically against official registry databases. Where electronic verification is not available (e.g., in Iraq and Nepal), physical document verification shall be conducted.

10.2 Director Identification¶

All current directors of a corporate merchant customer shall be:

Identified by name, nationality, and date of birth;
Subject to sanctions screening and PEP screening;
Individually verified (at minimum, name and identity document reference) for Standard KYB;
Fully verified (identity document, address, SoF) for EDD KYB.

10.3 Business Activity Assessment¶

The Compliance team shall conduct a documented assessment of the merchant's business activity, covering:

Primary and secondary business activities, including product and service categories;
Geographic markets served and customer demographics;
Anticipated payment volumes and values;
Assessment of the business model's consistency with lawful commerce;
Identification of any high-risk indicators (see Section 4.2.4).

Where the business activity assessment identifies indicators inconsistent with the merchant's stated profile, Compliance shall seek clarification from the merchant and, if not resolved, shall escalate to the MLRO.

10.4 Site Visits¶

Site visits (physical or virtual, as appropriate) shall be conducted for:

All high-risk merchants (mandatory, before or within 60 days of onboarding);
Any merchant where the Compliance team determines that a site visit is necessary to resolve uncertainty about business activity or operations;
Merchants whose transaction patterns diverge significantly from stated business activity (periodic, at Compliance discretion).

Site visit reports shall be documented in the customer file, including the date, method (physical or virtual), findings, and risk assessment conclusions.

11. Crypto-Specific KYC (VASP and Off-Ramp)¶

11.1 VASP Customer Identification¶

Where Simpaisa onboards a VASP (e.g., a cryptocurrency exchange or wallet provider) as a correspondent or partner institution, or where Simpaisa's Binance crypto off-ramp is accessed by institutional counterparties, the following additional requirements apply:

Verification that the VASP counterparty holds all required regulatory licences or registrations in its jurisdiction of operation;
Assessment of the VASP's AML/CTF programme, including its KYC standards and transaction monitoring capabilities;
Identification and verification of the VASP's UBOs and senior management;
Ongoing monitoring of the VASP's regulatory status and any adverse media or enforcement actions.

11.2 Retail Customer Crypto Off-Ramp KYC¶

Individual customers using Simpaisa's crypto off-ramp (Binance integration) to convert cryptocurrency to fiat shall be subject to EDD as a minimum, regardless of transaction value, given the elevated inherent risk of crypto-to-fiat conversion. Requirements include:

Full identity verification per Standard CDD (Section 7.1);
Wallet address verification - the source wallet address(es) shall be collected and screened against blockchain analytics tools approved by the MLRO for indicators of illicit activity, including association with sanctioned addresses, darknet markets, mixing services, or ransomware wallets;
Declaration and assessment of the source of the crypto funds - the customer shall declare how the cryptocurrency was acquired (mining, exchange purchase, P2P transfer, etc.) and provide supporting evidence where the value is material;
Source of wealth assessment for off-ramp transactions above defined thresholds;
Senior management approval for off-ramp transactions above a defined high-value threshold.

11.3 Blockchain Analytics¶

Simpaisa shall maintain a blockchain analytics capability (through a commercially provided tool approved by the MLRO) to:

Screen wallet addresses at the point of transaction initiation;
Identify wallet addresses associated with OFAC-sanctioned entities or wallets subject to regulatory orders;
Assess the risk exposure of source wallets based on their transaction history (e.g., direct or indirect exposure to darknet markets, mixing services, or known theft wallets);
Generate risk scores to inform transaction approval or rejection decisions.

The blockchain analytics tool configuration and risk thresholds shall be reviewed by the MLRO quarterly.

12. Ongoing Monitoring and Periodic Review¶

12.1 Ongoing Transaction Monitoring¶

All customer relationships shall be subject to ongoing transaction monitoring to identify transactions that are unusual, inconsistent with the customer's known profile, or indicative of financial crime. Transaction monitoring shall be conducted through:

Automated rule-based monitoring (real-time and batch);
ML-based anomaly detection (per DT Roadmap Workstream 5, when deployed);
Manual review of flagged transactions by the Compliance team.

12.2 Periodic Review Cycles¶

Customer files and risk assessments shall be reviewed on the following cycle:

Risk Category	Periodic Review Cycle
Low (SDD)	Every three years, or upon a material trigger event
Medium (Standard CDD)	Every three years, or upon a material trigger event
High (EDD)	Annually, or upon a material trigger event

12.3 Event-Triggered Review¶

In addition to periodic review, a full CDD or EDD review shall be triggered by any of the following events:

A material change in the customer's profile, ownership, or business activity;
A new sanctions, PEP, or adverse media alert related to the customer;
A significant change in transaction volume, frequency, or pattern inconsistent with the customer profile;
A law enforcement request or court order relating to the customer;
Receipt of a fraud alert or financial crime suspicion relating to the customer;
A material change in the risk profile of the customer's jurisdiction or industry.

13. De-Risking and Exit Criteria¶

13.1 De-Risking Policy¶

Simpaisa recognises that de-risking (the blanket refusal of entire categories of customers based on sector or geography, without individual risk assessment) is itself contrary to FATF Guidance and may contribute to financial exclusion. Simpaisa's policy is to apply proportionate, risk-based due diligence rather than de-risking entire customer segments, where effective controls can be applied.

13.2 Exit Criteria¶

Notwithstanding Section 13.1, Simpaisa shall exit or decline to establish a customer relationship where:

The customer falls within a Prohibited Customer category (Section 5.2);
CDD or EDD cannot be completed to a satisfactory standard within a reasonable timeframe, and the customer is unwilling or unable to provide the required information;
The customer's risk profile, following full due diligence, exceeds the Group's risk appetite and no effective mitigation is available;
A SAR has been filed and the MLRO determines that the relationship cannot be maintained without tipping-off risk;
A regulatory direction to exit the relationship has been received;
The customer has been involved in confirmed fraud against Simpaisa.

13.3 Exit Procedure¶

Customer exits shall be managed by Compliance in consultation with Legal and the relevant business unit. Exit decisions shall be documented, including the reason for exit. Where a SAR has been filed, exit timing shall be determined by the MLRO in light of tipping-off obligations. Customer notifications upon exit shall comply with applicable legal obligations and shall not disclose financial crime-related reasons where doing so would constitute tipping-off.

14. Record-Keeping¶

14.1 General Requirements¶

All KYC/KYB records, including customer identification documents, due diligence records, screening results, risk assessments, and periodic review records, shall be retained for:

A minimum of five years from the date the business relationship ends or the occasional transaction is completed;
Longer where required by applicable local regulation (see jurisdiction-specific requirements below).

Records shall be stored in the Group's secure document management system, accessible to Compliance and the MLRO, with access logs maintained.

14.2 Jurisdiction-Specific Record-Keeping Requirements¶

Jurisdiction	Minimum Retention Period	Authority
UAE/DIFC	6 years	DFSA AML Module; UAE Federal AML Law
UK	5 years from end of relationship	MLR 2017
Canada	7 years	PCMLTFA Regulations
Pakistan	10 years	SBP AML/CFT Regulations
Bangladesh	5 years	Bangladesh Money Prevention of Money Laundering Act
Nepal	5 years	NRB AML/CFT Guidelines
Iraq	5 years	CBI AML/CTF Instructions

Where records relate to a suspicious transaction report or are subject to a regulatory or law enforcement order, they shall be retained until the MLRO or Legal confirms that the retention obligation has been discharged.

15. Delegation of KYC to Third Parties¶

15.1 Permitted Delegation¶

Simpaisa may delegate KYC performance to third parties in the following circumstances:

White-label wallet clients who perform KYC on their own end-users in accordance with an approved programme;
Regulated third-party identity verification service providers engaged to perform digital identity checks on Simpaisa's behalf;
Correspondent institutions performing customer identification within their own regulated framework, where Simpaisa relies on that institution's CDD under applicable legal provisions.

15.2 Conditions for Delegation¶

Delegation of KYC shall only be permitted where:

The third party is subject to AML/CTF regulatory oversight in a jurisdiction with FATF-equivalent standards;
A written agreement is in place with the third party specifying: the KYC standards to be applied; Simpaisa's right to audit the third party's KYC programme; obligations to share data and records with Simpaisa upon request; and the third party's obligation to notify Simpaisa of any material compliance failure;
The MLRO has reviewed and approved the delegation arrangement;
Simpaisa has conducted due diligence on the third party's AML/CTF programme before delegation commences.

15.3 Ultimate Responsibility¶

Delegation of KYC performance does not transfer Simpaisa's ultimate regulatory responsibility. Simpaisa remains liable for the adequacy of the KYC performed on its behalf and shall maintain oversight of delegated KYC programmes through regular audits, data quality reviews, and contractual compliance mechanisms.

15.4 White-Label Wallet Client KYC Standards¶

White-label wallet clients shall be contractually required to:

Apply KYC standards no less stringent than Simpaisa's Standard CDD for all end-users;
Apply EDD for end-users meeting EDD trigger criteria;
Provide Simpaisa with access to KYC records for any end-user upon request within two business days;
Notify Simpaisa of any suspected financial crime, SAR filing, or regulatory inquiry relating to an end-user within one business day;
Subject their KYC programme to annual audit by Simpaisa's Compliance team or an approved third party.

Clients who fail to meet these standards shall be subject to remediation plans and, if remediation fails, exit pursuant to Section 13.2.

16. Roles and Responsibilities¶

Role	Responsibility
Board of Directors	Ultimate accountability for the Group's KYC/KYB framework; approval of this Policy; receipt of periodic compliance reporting.
MLRO (Shoukat Bizinjo)	Policy ownership and maintenance; risk appetite calibration; EDD approval; SAR filing decisions; regulatory relationship management; oversight of all KYC/KYB operations.
Head of Compliance	Day-to-day oversight of KYC/KYB operations; Compliance team management; periodic review coordination; training delivery; exception management.
Country Compliance Officers	Implementation of jurisdiction-specific KYC requirements as per Section 17 Annexes; local regulatory reporting; liaison with local authorities.
Onboarding Team	Execution of KYC/KYB procedures for new customers; document collection and verification; case creation and escalation.
Compliance Analysts	Adverse media and PEP screening; sanctions alert investigation; EDD case preparation; ongoing monitoring review.
CDO (Daniel O'Reilly)	Technology enablement of KYC/KYB controls; digital identity verification platform; sanctions screening system; transaction monitoring system; blockchain analytics.
Technology Team	Maintenance and development of KYC technology systems; screening system configuration; API integrations with verification providers.
Sales and Relationship Management	First point of contact for prospective customers; responsible for initial information collection and referral to Onboarding; must not onboard customers outside approved process.
Legal	Contract review for third-party KYC delegation; customer exit documentation; regulatory correspondence.
Internal Audit	Independent assurance over the KYC/KYB framework; periodic audit of sampling of customer files; reporting to Board Audit Committee.

17. Monitoring and Reporting¶

17.1 KYC/KYB Compliance Monitoring¶

The MLRO shall maintain a KYC/KYB compliance monitoring programme covering:

Regular sampling of customer files to assess due diligence quality and completeness;
Monitoring of periodic review completion rates and overdue reviews;
Assessment of screening system effectiveness and false positive/negative rates;
Tracking of exceptions and escalations;
Review of SAR filing decisions and quality.

17.2 Reporting to Governance Bodies¶

Report	Frequency	Audience
KYC/KYB Operations Report	Monthly	MLRO, Head of Compliance
Compliance Dashboard (KYC/KYB component)	Quarterly	Executive Leadership Team
Board Compliance Report (KYC/KYB component)	Quarterly	Board of Directors
Annual KYC/KYB Programme Review	Annual	Board of Directors

18. Exceptions¶

Any exception to the requirements of this Policy shall be:

Requested in writing by the relevant business unit, with full justification;
Reviewed and approved by the MLRO;
Recorded in the Policy Exception Register with the rationale, risk assessment, and any compensating controls;
Reviewed and confirmed or withdrawn at the next periodic Policy review.

No exception may be approved that would result in a breach of applicable regulatory requirements. The MLRO shall report all exceptions to the Board as part of the quarterly Compliance Report.

AML/CTF Policy (SGP-FCC-001)
Sanctions Compliance Policy (SGP-FCC-002)
Fraud Management Policy (SGP-FCC-003)
Data Governance Policy (SGP-CDO-001)
Outsourcing and Third-Party Management Policy (SGP-OPS-002)
Information Security Policy
Whistleblowing Policy (SGP-GOV-002)
Operational Resilience Policy (SGP-OPS-001)

20. Jurisdiction Annexes¶

Annex 1 - UAE / DIFC¶

Regulatory Framework: - UAE Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations - UAE Cabinet Decision No. 10 of 2019 (implementing regulations) - DFSA Anti-Money Laundering Module (AML) - UAE Central Bank AML/CFT Standards (applicable to UAE Central Bank licensed entities; relevant by reference for DIFC entities)

Customer Identification: UAE national customers shall be verified using the Emirates ID (issued by the Federal Authority for Identity and Citizenship - ICA). Emirates ID verification shall be conducted electronically through the UAEPAS (UAE Pass) integration or a DFSA-approved electronic verification service where available. For non-UAE national residents, passport and UAE residence visa shall be verified.

CDD Threshold: AED 55,000 (single transaction) triggers enhanced verification.

Beneficial Ownership: 25% threshold applies. Beneficial ownership register disclosure is required for DIFC-incorporated entities under DIFC Companies Law.

Sanctions: Screening against UAE Cabinet Decision No. 83 of 2023 (Terrorist Designations List) and CBUAE consolidated sanctions list is mandatory in addition to international lists.

Reporting: Suspicious transaction reports shall be filed with the UAE Financial Intelligence Unit (UAEFIU) through the goAML platform. The MLRO is the designated person responsible for UAEFIU filings.

Record-Keeping: Minimum six years from end of relationship or transaction.

Annex 2 - Pakistan¶

Regulatory Framework: - Anti-Money Laundering Act 2010 (as amended) - SBP AML/CFT Regulations 2020 - SBP Prudential Regulations for Payment Service Operators/Providers - Financial Monitoring Unit (FMU) guidelines

Customer Identification: Pakistani national customers shall be verified using the Computerised National Identity Card (CNIC), verified electronically through NADRA's Verisys system. NADRA verification is mandatory for all individual customers resident in Pakistan. For non-resident Pakistanis (NRPs), NICOP (National Identity Card for Overseas Pakistanis) shall be used for verification.

CDD Threshold: PKR 2,500,000 (cumulative monthly) triggers enhanced verification for remittance customers.

Biometric Verification: Where SBP regulations require biometric verification for specific transaction types or account tiers, biometric data shall be collected through NADRA-integrated verification or an SBP-approved alternative.

Beneficial Ownership: 25% threshold per SBP AML/CFT Regulations.

Reporting: Suspicious transaction reports shall be filed with the Financial Monitoring Unit (FMU) Pakistan. Currency transaction reports (CTRs) are required for cash transactions above PKR 2,500,000.

Record-Keeping: Minimum ten years from end of relationship or transaction, per SBP regulations.

Annex 3 - Bangladesh¶

Regulatory Framework: - Money Laundering Prevention Act 2012 (as amended) - Anti-Terrorism Act 2009 (as amended) - Bangladesh Bank AML/CFT Circular (latest version) - Bangladesh Financial Intelligence Unit (BFIU) AML/CFT Circular and Guidelines

Customer Identification: Bangladeshi national customers shall be verified using the National Identity Card (NID), verified electronically through the Bangladesh Election Commission NID verification system (where API access is available) or through a BFIU-approved verification service. Passports and birth registration certificates are acceptable for customers who do not possess an NID.

CDD Threshold: BDT 100,000 (single transaction) triggers enhanced customer identification for remittance transactions.

Beneficial Ownership: 25% threshold per BFIU guidance.

BFIU Reporting: Suspicious transaction reports and cash transaction reports shall be filed with the Bangladesh Financial Intelligence Unit (BFIU) in accordance with BFIU Circular requirements. The designated Compliance officer for Bangladesh is responsible for BFIU filings and shall maintain a direct communication channel with BFIU.

Record-Keeping: Minimum five years from end of relationship or transaction.

Annex 4 - Nepal¶

Regulatory Framework: - Asset (Money) Laundering Prevention Act 2008 (as amended by second amendment 2018) - Nepal Rastra Bank AML/CFT Guidelines - NRB Unified Directives applicable to payment service providers

Customer Identification: Nepali national customers shall be verified using the citizenship certificate (nagarikta), verified against NRB guidelines. Passport is accepted for Nepali nationals without a citizenship certificate. Digital identity verification is in early adoption stages in Nepal; physical document verification or partner agent-assisted verification is the primary method.

CDD Threshold: NPR 100,000 (single transaction) triggers enhanced customer identification.

Beneficial Ownership: 25% threshold per NRB KYC Framework.

Reporting: Suspicious transaction reports shall be filed with the Financial Intelligence Unit Nepal (FIU-Nepal) within the timeframes specified in applicable NRB directives. The Country Compliance Officer for Nepal is responsible for FIU-Nepal filings.

Record-Keeping: Minimum five years from end of relationship or transaction.

Infrastructure Considerations: Digital identity infrastructure in Nepal is limited. Simpaisa's Nepal operations shall maintain agent-assisted onboarding procedures where digital verification is unavailable, subject to enhanced oversight and sampling by the MLRO.

Annex 5 - Iraq¶

Regulatory Framework: - Anti-Money Laundering and Terrorism Financing Law No. 39 of 2015 - Central Bank of Iraq (CBI) AML/CTF Instructions - CBI Instructions on Payment Systems

Customer Identification: Iraqi national customers shall be verified using the national identity card (Hawiya) or passport. Given the limited availability of digital identity infrastructure and electronic verification systems in Iraq, physical document verification or agent-assisted verification is the primary method. Copies of identity documents shall be retained in physical and digital formats.

CDD Threshold: IQD 10,000,000 (approximately USD 7,500) triggers enhanced customer identification.

Beneficial Ownership: 25% threshold per CBI instructions.

Digital Infrastructure Limitations: Iraq presents significant limitations in digital identity verification, electronic banking infrastructure, and regulatory data access. Simpaisa's Iraq operations shall apply conservative manual verification procedures, with enhanced oversight from the MLRO and quarterly sampling reviews by Compliance. The MLRO shall review Iraq-specific risk appetite annually given the evolving regulatory and security environment.

Reporting: Suspicious transaction reports shall be filed with the Anti-Money Laundering and Terrorism Financing Office (AMLTFO) at the CBI. The Country Compliance Officer for Iraq is responsible for AMLTFO filings.

Record-Keeping: Minimum five years from end of relationship or transaction.

Annex 6 - Canada¶

Regulatory Framework: - Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) - FINTRAC Regulations (SOR/2002-184) - FINTRAC Guidance on Client Identification - FINTRAC 24-Hour Rule - FINTRAC guidance on Third-Party Determination

Customer Identification: Canadian resident customers shall be verified using government-issued identity documents in accordance with FINTRAC client identification methods. Acceptable methods include:

Government-issued photo identity document (primary document - e.g., passport, provincial driver's licence);
Electronic verification using dual-source method (two independent electronic databases confirming name and address);
Credit file method (credit file in the customer's name, in existence for at least three years);
Dual-process method (name and address from one source; name and date of birth from another).

24-Hour Rule: Simpaisa shall comply with the FINTRAC 24-hour rule, which requires aggregation of transactions conducted by the same customer within a 24-hour period for reporting purposes (large cash transaction reports; large virtual currency transaction reports).

Third-Party Determination: For all transactions, Simpaisa shall determine whether the customer is acting on behalf of a third party and, if so, collect and record information about the third party in accordance with FINTRAC Regulations.

Beneficial Ownership: 25% threshold per PCMLTFA Regulations. For beneficial owners who are not residents of Canada, additional identity verification steps apply as per FINTRAC guidance.

Reporting: Suspicious transaction reports shall be filed with FINTRAC. Large cash transaction reports (LCTR) are required for cash transactions of CAD 10,000 or more (including aggregated within 24 hours). Large virtual currency transaction reports (LVCTR) are required for virtual currency transactions of CAD 10,000 or more.

Record-Keeping: Minimum seven years from the date of the transaction or end of business relationship.

Annex 7 - United Kingdom¶

Regulatory Framework: - Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017), as amended by the Money Laundering and Terrorist Financing (Amendment) Regulations 2019 and subsequent amendments - Proceeds of Crime Act 2002 (POCA) - Terrorism Act 2000 - FCA Financial Crime Guide (FCG) - JMLSG Guidance (Joint Money Laundering Steering Group)

Customer Identification: UK resident customers shall be verified using electronic verification as the primary method. Electronic verification shall use at least two independent data sources, one of which shall confirm the customer's name and current address, and at least one of which shall be capable of confirming the customer's identity against a government-linked database. Physical document verification is a supplementary method where electronic verification is inconclusive.

Simplified Due Diligence: SDD is available under MLR 2017 for demonstrably low-risk customers, products, and transactions in accordance with regulation 37 and JMLSG Guidance. SDD eligibility shall be assessed and documented for each customer.

Enhanced Due Diligence: EDD is mandatory under MLR 2017 regulation 33 for: high-risk third countries; PEPs; and correspondent relationships with third-country institutions. EDD requirements under MLR 2017 are fully consistent with Section 8 of this Policy.

Beneficial Ownership: 25% threshold per Persons with Significant Control (PSC) regime under the Companies Act 2006 and MLR 2017. UK companies are required to maintain a PSC register; Simpaisa shall cross-reference PSC register filings at Companies House for UK-incorporated corporate customers.

PEP Definition: For UK purposes, the FCA definition of PEP is applied, which includes domestic UK PEPs (in contrast to FATF guidance that permits lower-risk treatment for domestic PEPs). Simpaisa applies EDD to all PEPs, consistent with the regulatory and JMLSG position.

Reporting: Suspicious Activity Reports shall be filed with the National Crime Agency (NCA) via the NCA's online reporting system. The MLRO is responsible for all UK SAR filings. Defence Against Money Laundering (DAML) requests shall be made in appropriate circumstances in accordance with POCA 2002.

Record-Keeping: Minimum five years from the end of the business relationship or completion of the occasional transaction, per MLR 2017 regulation 40.

Appendices¶

Appendix A - Customer Risk Scoring Matrix¶

[Classified: Restricted. Maintained by MLRO. Access limited to: MLRO, Head of Compliance, Country Compliance Officers, and designated Compliance Analysts. Full scoring weights, factor definitions, and calibration history are maintained in this document. Version-controlled within the Compliance Management System.]

Appendix B - Approved Identity Document Types by Jurisdiction¶

Jurisdiction	Individual Primary Documents	Individual Secondary (Address) Documents	Corporate Registration Documents
UAE	Emirates ID; Passport + UAE Residence Visa	Utility bill; Bank statement (3 months); Government letter	Commercial licence; Certificate of incorporation (DIFC or mainland)
Pakistan	CNIC; NICOP (overseas Pakistanis); Passport	Utility bill; Bank statement	Certificate of incorporation; SECP filing
Bangladesh	NID; Passport; Birth certificate (where NID unavailable)	Utility bill; Bank statement	RJSC registration certificate
Nepal	Citizenship certificate (nagarikta); Passport	Utility bill; Bank statement	Company register extract (Office of Company Registrar)
Iraq	National ID (Hawiya); Passport	Utility bill; Official government correspondence	Company register extract (Ministry of Trade)
Canada	Passport; Provincial/territorial driver's licence; Permanent residence card	- (Electronic verification preferred)	Certificate of incorporation (federal or provincial)
UK	Passport; UK driving licence (photo card)	Bank statement; Utility bill; HMRC correspondence	Companies House certificate of incorporation; PSC register

Appendix C - Approved Screening and Verification Systems¶

[Maintained by MLRO and CDO. Lists all approved sanctions screening, PEP screening, adverse media, electronic identity verification, and blockchain analytics providers. Reviewed annually and updated upon any material change in system capability or regulatory acceptance.]

Appendix D - EDD Approval and Escalation Log Template¶

[Template maintained by Compliance. EDD approval log is maintained in the Compliance Management System and reviewed by MLRO monthly.]

Appendix E - Periodic Review Schedule and Tracker¶

[Maintained by Compliance. Tracks all active customer relationships by risk category and scheduled review date. Overdue reviews are reported to the MLRO weekly.]

Simpaisa Group - Financial Crime Compliance Policy Suite¶

POLICY 1: FRAUD MANAGEMENT POLICY¶

Document Control¶

Revision History¶

Ownership¶

Distribution¶

Related Policies and Documents¶

1. Purpose and Scope¶

1.1 Purpose¶

1.2 Scope¶

2. Definitions¶

3. Policy Statements¶

3.1 Commitment to Fraud Prevention¶

3.2 Regulatory and Card Scheme Compliance¶

3.3 Customer Protection¶

4. Fraud Risk Taxonomy by Product Line¶

4.1 Pay-Ins¶

4.2 Pay-Outs¶

4.3 Remittances¶

4.4 Crypto Off-Ramp (Binance Integration)¶

4.5 White-Label Wallets¶

5. Fraud Prevention Controls¶

5.1 Transaction-Level Controls¶

5.2 Authentication and Device Controls¶

5.3 Merchant Monitoring¶

6. Fraud Detection¶

6.1 Rule-Based Detection Engine (Real-Time)¶

6.2 ML-Based Anomaly Detection (Planned)¶

6.3 Manual Transaction Review Triggers¶

6.4 Merchant Monitoring¶

7. Fraud Investigation Procedures¶

7.1 Alert Triage and Priority Classification¶

7.2 Investigation Workflow¶

7.3 Evidence Preservation¶

7.4 Customer Notification¶

7.5 Law Enforcement Referral¶

8. Fraud Loss Management¶

8.1 Loss Recovery Procedures¶

8.2 Merchant Liability¶

8.3 Insurance Claims¶

8.4 Write-Off Authority¶

9. Fraud Reporting¶

9.1 Internal Reporting¶

9.2 External Reporting¶

10. Fraud Key Performance Indicators¶

11. Roles and Responsibilities¶

12. Monitoring and Review¶

12.1 Fraud Committee¶

12.2 Annual Fraud Risk Assessment¶

12.3 Policy Review¶

13. Exceptions¶

14. Staff Awareness and Anti-Fraud Culture¶

15. Related Policies¶

Appendices¶

Appendix A - Law Enforcement Referral Thresholds and Contacts by Jurisdiction¶

Appendix B - Fraud KPI Dashboard Template¶

Appendix C - Fraud Rule Playbook¶

Appendix D - Annual Fraud Risk Assessment Template¶

---¶

POLICY 2: KYC/KYB AND CUSTOMER ONBOARDING POLICY¶

Document Control¶

Revision History¶

Ownership¶

Distribution¶

Related Policies and Documents¶

1. Purpose and Scope¶

1.1 Purpose¶

1.2 Scope¶

2. Definitions¶

3. Policy Statements¶

3.1 Risk-Based Approach¶

3.2 Zero Onboarding of Prohibited Customers¶

3.3 Regulatory Compliance¶

3.4 No Circumvention¶

4. Customer Risk Classification¶

4.1 Risk Categories¶

4.2 Risk Scoring Methodology¶

4.3 Risk Review and Reclassification¶

5. Customer Categories and Prohibited Customers¶

5.1 Customer Categories¶