Skip to content

Simpaisa Group - Policy Suite

POLICY 1: CLIENT MONEY POLICY

SIMPAISA GROUP

CLIENT MONEY POLICY

Field Detail
Document Reference SGP-FIN-001
Version 1.0
Status Active
Owner Chief Financial Officer (CFO)
Approver Board of Directors
Effective Date 1 April 2026
Next Review Date 1 April 2027
Classification Internal - Restricted

Document Control

Revision History

Version Date Author Changes
0.1 January 2026 CFO Office Initial draft
0.2 February 2026 CFO Office, Legal, Compliance Internal review and revision
0.3 March 2026 CFO Office, Head of Treasury Regulatory alignment review (DFSA, FCA, FINTRAC, SBP)
1.0 April 2026 CFO Board-approved final version

Distribution

This policy is classified as Internal - Restricted. It is distributed to the Board of Directors, the Chief Financial Officer, the Chief Compliance Officer, the MLRO, the Head of Treasury, the Head of Settlements, the Head of Legal, and designated Finance and Compliance personnel with a functional need. It is held on the internal policy management system with access controls applied. External distribution is limited to regulatory authorities and external auditors as required.

  • AML/CFT Policy (SGP-FCC-001)
  • STR/SAR Filing Procedures (SGP-FCC-005)
  • Outsourcing and Third-Party Management Policy (SGP-OPS-002)
  • Operational Resilience Policy (SGP-OPS-001)
  • DFSA Conduct of Business Module (COB), Appendix 1 (Client Money Rules)
  • FCA Client Assets Sourcebook (CASS)
  • FINTRAC Proceeds of Crime (Money Laundering) and Terrorist Financing Act requirements
  • SBP Payment Systems Operator framework and client funds requirements
  • Merchant Payment Services Agreement (MPSA) - standard form

1. Purpose and Scope

1.1 Purpose

This Client Money Policy ("Policy") establishes Simpaisa Group's ("Simpaisa" or "the Group") framework for the receipt, holding, management, safeguarding, reconciliation, and return of client money across all entities and jurisdictions in which the Group operates.

Client money represents one of the most significant areas of regulatory and fiduciary obligation for a payments operator. Simpaisa processes in excess of USD 1 billion in payment flows annually, spanning merchant settlement funds, remittance sender funds, white-label wallet balances, pre-funded disbursement accounts, and crypto conversion proceeds pending disbursement. The protection of these funds - and the clear separation of client money from the Group's own assets - is a non-negotiable legal, regulatory, and ethical obligation.

This Policy satisfies requirements arising from:

  • The Dubai Financial Services Authority (DFSA) Client Money Rules as set out in the Conduct of Business Module (COB), Appendix 1, applicable to the Group's regulated activities in the Dubai International Financial Centre (DIFC) and relevant to the Category 3D licence application;
  • The Financial Conduct Authority (FCA) Client Assets Sourcebook (CASS), applicable to the Group's UK regulated entity;
  • FINTRAC requirements under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and associated regulations, applicable to the Group's Canadian operations, including trust account requirements;
  • The State Bank of Pakistan (SBP) payment systems framework and client funds requirements applicable to the Group's Pakistan entity;
  • Bangladesh Bank, Nepal Rastra Bank (NRB), and Central Bank of Iraq (CBI) requirements applicable in those jurisdictions, as set out in the per-jurisdiction requirements in Section 7 of this Policy;
  • The Group's own fiduciary obligations to merchants, end-users, and business partners as articulated in Merchant Payment Services Agreements (MPSAs) and terms of service.

1.2 Scope

This Policy applies to:

  • All legal entities within the Simpaisa Group, including the Singapore HoldCo (Simpaisa Holdings Pte Ltd) and all nine subsidiary entities;
  • All employees, contractors, and secondees who receive, hold, manage, or have access to client money in any jurisdiction;
  • All client money regardless of currency, jurisdiction, or product type - including merchant settlement funds, remittance funds, wallet balances, pre-funded disbursement balances, and crypto conversion proceeds;
  • All banking institutions and designated accounts used to hold client money;
  • All third-party payment processors and correspondent banking partners through whom client money flows.

This Policy does not apply to the Group's own operating funds, capital reserves, or intercompany balances. Where the characterisation of funds as client money is uncertain, the matter shall be escalated to the CFO and Head of Legal for determination, and funds shall be treated as client money in the interim.

2. Definitions

Term Definition
Client Money Funds received or held by any Simpaisa entity on behalf of a client (merchant, end-user, or partner) in the course of, or in connection with, the provision of a regulated or payment service. Includes all categories defined in Section 3.1 of this Policy.
Merchant Settlement Funds Funds collected by Simpaisa on behalf of merchants in connection with Pay-In or payment aggregation services, pending settlement to the merchant's designated account.
Remittance Sender Funds Funds received from individual customers for the purpose of cross-border remittance, held pending successful disbursement to the beneficiary.
White-Label Wallet Balances Stored value held within Simpaisa-powered white-label wallet products on behalf of end-users of partner institutions.
Pre-Funded Disbursement Balance Funds placed on account by a partner institution or merchant to pre-fund Pay-Out or disbursement operations, pending instruction to disburse.
Crypto Conversion Proceeds Fiat proceeds arising from the off-ramping of cryptocurrency assets on behalf of a client, held pending disbursement instruction.
Designated Client Account A bank account established and maintained exclusively for the holding of client money, clearly identified as such in its account title and documentation, and separated from any account holding the Group's own funds.
Segregation The physical and legal separation of client money from the Group's own funds, such that client money is identifiable, accessible, and returnable to clients at all times, including in an insolvency scenario.
Reconciliation Break A discrepancy between the client ledger balance and the corresponding bank account balance as identified during the reconciliation process.
Internal Reconciliation A daily comparison, conducted by the Finance team, between the Group's client ledger records and the actual balances held in designated client accounts.
External Reconciliation A weekly review of bank statements and confirmations against internal records, conducted by Finance and reviewed by the Head of Settlements.
CFO Chief Financial Officer - Mohammad Mustafa.
Head of Treasury Asif Khoso.
Head of Settlements Muhammad Sohaib.
DFSA Dubai Financial Services Authority.
FCA Financial Conduct Authority (United Kingdom).
FINTRAC Financial Transactions and Reports Analysis Centre of Canada.
SBP State Bank of Pakistan.
MPSA Merchant Payment Services Agreement - Simpaisa's standard-form merchant contract.
CASS Client Assets Sourcebook - FCA rules governing client money and client assets.
COB DFSA Conduct of Business Module.

3. Policy Statements

3.1 Definition and Categories of Client Money

3.1.1 For the purposes of this Policy, client money comprises all of the following categories of funds received or held by any Simpaisa entity:

(a) Merchant settlement funds: funds received from payers (consumers, businesses) in connection with merchant Pay-In services, held pending settlement to the merchant. These funds belong to the merchant from the moment of collection and must be treated as client money throughout the settlement cycle.

(b) Remittance sender funds: funds received from individual senders for the purpose of cross-border money transfer, held from the point of receipt until successful disbursement to the nominated beneficiary. In the event of a failed or returned transfer, these funds remain client money until returned to the sender.

(c) White-label wallet balances: stored value balances held within Simpaisa-powered wallet infrastructure on behalf of end-users of partner institutions. The Group recognises these balances as client money owed to end-users, regardless of the contractual structure with the partner institution.

(d) Pre-funded disbursement balances: funds placed on account with Simpaisa by a partner institution or merchant to fund Pay-Out or bulk disbursement operations, held pending receipt of disbursement instructions. These funds remain client money until disbursed or returned.

(e) Crypto off-ramp conversion proceeds: fiat currency proceeds arising from the conversion of a client's cryptocurrency assets, held from the point of conversion until disbursement to the client's nominated fiat account. These proceeds are treated as client money from the moment the conversion is executed.

3.1.2 Where the characterisation of a fund as client money is uncertain, the CFO shall make the determination in writing. Until such determination is made, the fund shall be treated as client money and held in a designated client account.

3.1.3 Client money does not include: (i) fees legitimately earned and withdrawn by Simpaisa in accordance with a client agreement; (ii) funds held by Simpaisa as principal (i.e., in transactions where Simpaisa bears principal risk); or (iii) the Group's own operating capital and reserves.

3.2 Safeguarding Principles

3.2.1 Segregation. Client money shall at all times be held in designated client accounts that are separate from all accounts holding the Group's own funds. No client money shall be held in any account that also contains operational funds, capital reserves, fee income, or intercompany balances. The obligation to segregate applies from the moment client money is received and continues until the funds are disbursed to the client, returned, or otherwise dealt with in accordance with this Policy.

3.2.2 No commingling. Simpaisa's own operational funds, including fee income, treasury holdings, and capital, shall never be mixed with client funds in any designated client account. Where Simpaisa is permitted by regulation to hold a residual buffer of its own funds in a client account (for example, to ensure the account does not fall into debit), the amount of such buffer shall be the minimum necessary, documented, and approved by the Head of Treasury in advance. Such buffers shall not be used for operational liquidity purposes.

3.2.3 Protection on insolvency. The Group shall structure its client money arrangements so that, in the event of insolvency of any Simpaisa entity, client money held in designated client accounts is identifiable, separable, and returnable to clients and is not available to creditors of the insolvent entity. This shall be achieved through: (i) clear account designations and documentation establishing the trust or regulatory basis on which client money is held; (ii) maintenance of accurate, up-to-date client ledger records that enable individual client entitlements to be determined at any time; and (iii) engagement of banking institutions that acknowledge the trust or regulatory status of designated client accounts in their terms and conditions.

3.2.4 Prompt disbursement. Client money shall not be held longer than is necessary to effect the purpose for which it was received. Settlement cycles and disbursement timelines shall be set out in MPSAs and terms of service, and shall be adhered to operationally. Any delay beyond contracted timelines must be approved by the Head of Settlements and recorded.

3.2.5 Adequacy of coverage. At all times, the total balance held in designated client accounts across all jurisdictions and currencies shall be sufficient to meet all client money obligations. The Head of Treasury shall monitor coverage adequacy daily and report any shortfall immediately to the CFO.

3.3 Designated Client Account Requirements

3.3.1 Approved institutions. Client money shall be held only at banking institutions that meet the following criteria:

(a) The institution holds a valid banking licence issued by the relevant regulatory authority in the jurisdiction where the account is held;

(b) The institution carries a minimum credit rating of BBB+ (S&P) or Baa1 (Moody's), or equivalent, for accounts holding balances exceeding USD 1 million (or equivalent). For frontier-market jurisdictions (Pakistan, Bangladesh, Nepal, Iraq) where internationally-rated institutions may not be available, the CFO shall approve institutions on a case-by-case basis, applying the best available credit quality in that market and documenting the rationale;

(c) The institution is acceptable to the DFSA (for DIFC-entity accounts) and to the FCA (for UK-entity accounts) as an approved bank for client money purposes;

(d) The institution has acknowledged, in writing or in its account terms and conditions, the trust or regulatory status of the account and its obligations in relation to client money.

3.3.2 Account naming conventions. All designated client accounts shall be titled in a manner that clearly identifies them as client accounts. The required naming convention is as follows:

  • UAE/DIFC entity: "Simpaisa [Entity Name] - Client Account"
  • UK entity: "Simpaisa [Entity Name] - Client Money Account" (per CASS requirements)
  • Canada entity: "Simpaisa [Entity Name] - Trust Account" (per FINTRAC/provincial requirements)
  • All other jurisdictions: "Simpaisa [Entity Name] - Client Funds Account" or the closest equivalent required by local regulation

The Head of Treasury shall maintain an up-to-date register of all designated client accounts, their account numbers, the institutions at which they are held, and the naming conventions applied.

3.3.3 Multi-entity, multi-currency account structure. The Group shall maintain designated client accounts structured as follows:

(a) Each operating entity shall maintain one or more designated client accounts in the primary currency of its operating jurisdiction;

(b) Where an entity receives or holds client money in a material foreign currency (defined as any currency in which the entity holds client money balances exceeding USD 100,000 or equivalent), a separate designated client account in that currency shall be maintained, or currency conversion shall be effected promptly in accordance with client instructions;

(c) Pooled client accounts (holding funds on behalf of multiple clients in a single account) are permitted where permitted by applicable regulation, provided that: (i) the individual client ledger is maintained with sufficient granularity to identify each client's entitlement at any time; (ii) the reconciliation process validates individual client balances daily; and (iii) disclosure of the pooled structure is made to clients in the relevant client agreement.

3.3.4 Per-jurisdiction account requirements. In addition to the general requirements above, the following jurisdiction-specific requirements apply:

Jurisdiction Entity Key Requirements
UAE (DIFC) Simpaisa DIFC entity DFSA COB Appendix 1 - designated "client money" account; approved bank; trust acknowledgement letter; annual client money audit
United Kingdom Simpaisa UK entity FCA CASS 7 - statutory trust; approved bank; CASS resolution pack; annual CASS audit
Canada Simpaisa Canada entity FINTRAC / provincial MSB requirements - trust account structure; records retained 5 years
Pakistan Simpaisa Pakistan entity SBP Payment Systems Operator conditions - designated account at SBP-approved bank; daily position reporting to SBP as required
Bangladesh Simpaisa Bangladesh entity Bangladesh Bank MFS/PSP framework - client funds held at scheduled bank; segregation attestation to Bangladesh Bank
Nepal Simpaisa Nepal entity NRB PSP/PSO licence conditions - client funds at NRB-designated commercial bank
Iraq Simpaisa Iraq entity CBI licensing conditions - client funds held at licensed Iraqi commercial bank; segregation documentation
Singapore Simpaisa Holdings Pte Ltd MAS Major Payment Institution licence conditions - client money held in trust; daily reconciliation; MAS notification on material breach

3.4 Interest and Returns on Client Money

3.4.1 General principle. Unless otherwise agreed in writing in the relevant client agreement (MPSA or terms of service), all interest, profit, or other return earned on client money held in designated client accounts belongs to the client on whose behalf the funds are held, and shall not be retained by Simpaisa.

3.4.2 DFSA position. Under the DFSA Client Money Rules (COB Appendix 1), interest earned on client money belongs to the client unless the client has expressly agreed otherwise in writing. Simpaisa shall ensure that MPSAs with DIFC-regulated counterparties address the treatment of interest explicitly and comply with this requirement.

3.4.3 FCA position. Under FCA CASS rules, a firm must not retain interest earned on client money unless the client has been clearly informed and has agreed. The UK entity shall ensure its client agreements address interest treatment in accordance with CASS requirements.

3.4.4 Islamic finance consideration. In Muslim-majority markets (Pakistan, Bangladesh, Iraq, and where applicable the UAE), the receipt and accrual of interest (riba) on client funds raises Shariah considerations. The Group's approach is as follows:

(a) Where a client has not agreed to interest treatment and the Group holds client funds in an interest-bearing account, any interest accrued on client funds in these markets shall be donated to a Shariah-compliant charitable cause, as directed by the Group's Shariah advisor or the relevant Islamic finance guidelines in the jurisdiction. It shall not be retained by Simpaisa nor credited to the client;

(b) Where operationally feasible and where clients request it, the Group shall endeavour to hold client money in profit-sharing (mudarabah) or non-interest-bearing accounts;

(c) The CFO shall ensure that the treatment of interest and profit on client funds in Islamic finance markets is reviewed annually by a Shariah-competent adviser and documented.

3.4.5 Contractual override. Where a Merchant Payment Services Agreement or other client agreement expressly provides that Simpaisa may retain interest or a portion of returns on client money (for example, in exchange for reduced service fees), such arrangement is permitted provided it complies with applicable regulatory requirements in the relevant jurisdiction. Any such arrangement must be approved by the CFO and documented in the signed client agreement. A register of all such arrangements shall be maintained by Finance.

3.5 Withdrawal and Use of Client Money

3.5.1 Client money shall only be withdrawn from a designated client account for the following purposes:

(a) Payment to or on behalf of the client in accordance with the client's instruction;

(b) Settlement to a merchant or beneficiary in accordance with the relevant transaction instruction;

(c) Return to the client following cancellation, failed transaction, or request for refund;

(d) Payment of Simpaisa's legitimate fees and charges, but only to the extent that such fees have been earned, are contractually due, and the amount has been calculated and confirmed - fees shall be transferred to Simpaisa's own accounts promptly upon being earned and shall not remain in the client account;

(e) As expressly permitted by the applicable regulatory framework (for example, DFSA COB Appendix 1 or FCA CASS 7).

3.5.2 No Simpaisa employee may authorise the withdrawal of client money for any purpose not listed in Section 3.5.1. Any instruction to withdraw client money for an unauthorised purpose shall be refused and reported to the CFO immediately.

3.5.3 All withdrawals from designated client accounts shall be subject to dual authorisation in accordance with the Group's Treasury Controls Policy and banking mandates. Payment authorisation limits and signatories shall be reviewed and updated annually by the CFO.

3.6 Unclaimed and Dormant Client Money

3.6.1 Where client money remains unclaimed for a period of twelve months following the date on which it became due for payment to the client, the Head of Treasury shall initiate a client tracing process to locate and return the funds.

3.6.2 Where client money remains unclaimed following exhaustion of the tracing process, it shall be dealt with in accordance with the applicable unclaimed money laws of the relevant jurisdiction. The Head of Legal shall advise on jurisdiction-specific requirements.

3.6.3 In no circumstances shall unclaimed client money be appropriated to Simpaisa's own accounts unless this is expressly required or permitted by applicable law and the legal basis for doing so has been confirmed in writing by the Head of Legal and approved by the CFO.

4. Roles and Responsibilities

Role Responsibilities
Board of Directors Approve and annually review this Policy; receive monthly client money position report; receive results of annual client money audit; approve any material changes to the client money framework
Chief Financial Officer (Mohammad Mustafa) Overall ownership of this Policy; monthly sign-off on reconciliation; approve designated banking institutions; approve interest treatment arrangements; receive and act on escalated reconciliation breaks; commission and oversee annual client money audit; report to the Board
Head of Treasury (Asif Khoso) Day-to-day management of designated client accounts; daily monitoring of account balances and coverage adequacy; maintain designated account register; manage banking relationships for client accounts; authorise permitted withdrawals within delegated limits; escalate coverage shortfalls or anomalies to CFO immediately
Head of Settlements (Muhammad Sohaib) Daily reconciliation of client ledger against bank statements; weekly external reconciliation review; investigate reconciliation breaks within 24 hours; escalate breaks exceeding $10,000 or unresolved after 5 business days to CFO; prepare monthly reconciliation summary
Finance Team Maintain the client ledger with accuracy and completeness; process approved withdrawals; support reconciliation process; prepare monthly client money position report for CFO and Board
Compliance / MLRO Ensure client money framework satisfies AML/CFT obligations; review for consistency with wider regulatory compliance; provide input to annual client money audit
Head of Legal Advise on jurisdiction-specific regulatory requirements; review and approve banking documentation for designated accounts; advise on unclaimed money treatment; ensure MPSA provisions on client money are compliant
External Auditor Conduct annual client money audit; report findings and recommendations to the Board; confirm compliance with applicable regulatory requirements
Internal Audit Provide independent assurance over the client money framework as part of the annual audit plan; report findings to the Board Audit and Risk Committee

5. Procedures

5.1 Receipt of Client Money

5.1.1 Upon receipt of a payment constituting client money, Finance shall record the credit in the client ledger against the relevant client account within the same business day.

5.1.2 Client money received shall be deposited into the relevant designated client account no later than the next business day following receipt. Where same-day deposit is not operationally achievable, the reason shall be documented and the funds shall be maintained in a segregated holding position until deposit is completed.

5.1.3 Incoming client money shall not be routed through any Simpaisa operating account, even temporarily. Where banking infrastructure requires a transient routing through an operational account (for example, due to correspondent banking limitations), the period of transiting shall be minimised, documented, and reviewed by the Head of Treasury. The Head of Legal shall confirm whether such routing arrangements are permitted under applicable regulations in the relevant jurisdiction.

5.2 Daily Reconciliation

5.2.1 The Head of Settlements, supported by the Finance team, shall conduct a daily internal reconciliation for each designated client account. This reconciliation shall compare:

(a) The aggregate client ledger balance (sum of all individual client positions in that account); and (b) The actual closing balance of the designated client account as reported by the banking institution.

5.2.2 The daily reconciliation shall be completed by 10:00 UAE time on the following business day using the prior day's closing balances.

5.2.3 The outcome of each daily reconciliation shall be recorded in the reconciliation log maintained by the Head of Settlements. A reconciliation shall be recorded as either:

  • Matched: ledger balance equals bank balance (within a de minimis tolerance of USD 10 or equivalent);
  • Break identified: difference exceeds de minimis tolerance - requires investigation.

5.2.4 The reconciliation process shall cover all designated client accounts across all entities and currencies in which material balances are held. Non-material accounts (defined as those with average daily balances below USD 10,000) may be reconciled weekly provided the Head of Treasury has assessed and documented the lower frequency as appropriate given the risk profile.

5.3 Weekly External Reconciliation Review

5.3.1 Each week, the Finance team shall conduct an external reconciliation review for all material designated client accounts. This review shall include comparison of the Group's internal records against:

(a) Bank statements received from the banking institution; (b) Transaction confirmation records from payment processors and correspondent banks; (c) Client transaction records and settlement instructions.

5.3.2 The weekly external reconciliation review shall be reviewed and signed off by the Head of Settlements no later than the Wednesday of the following week.

5.3.3 Any discrepancies identified in the weekly review that were not identified in daily reconciliation shall be treated as reconciliation breaks and investigated in accordance with Section 5.4.

5.4 Break Management

5.4.1 A reconciliation break is any difference between the client ledger and the corresponding bank account balance that exceeds the de minimis tolerance of USD 10 (or equivalent). All breaks, regardless of amount, shall be recorded in the break register maintained by the Head of Settlements.

5.4.2 Upon identification of a reconciliation break, the following response timeframes apply:

Break Amount Investigation Deadline Resolution Deadline Escalation
Any amount Within 24 hours of identification Within 5 business days If unresolved after 5 business days, escalate to CFO
Greater than USD 10,000 (or equivalent) Within 24 hours of identification Within 5 business days Escalate to CFO immediately upon identification; CFO to assess regulatory notification obligations
Greater than USD 100,000 (or equivalent) Within 24 hours of identification Within 5 business days Escalate to CFO and Board immediately; CFO to assess and manage regulatory notification

5.4.3 The investigation of a reconciliation break shall include: identification of the cause; determination of whether client funds are at risk; assessment of whether regulatory notification is required; and the corrective action taken. All investigations shall be documented in the break register.

5.4.4 Where a reconciliation break of any amount indicates that client money may have been lost, misappropriated, or applied for an improper purpose, the CFO shall be notified immediately and shall determine whether notification to the relevant regulatory authority is required. The MLRO shall also be notified to assess whether a suspicious transaction report is required.

5.4.5 Resolution of a break means the cause has been identified, documented, and corrected, and the client ledger and bank balance are reconciled. Partial resolution (cause identified but correction pending) shall be reported to the CFO with an expected resolution date.

5.5 Monthly CFO Sign-Off

5.5.1 The Head of Settlements shall prepare a Monthly Client Money Reconciliation Summary for each entity, covering:

(a) A summary of all reconciliations conducted during the month; (b) All breaks identified, investigated, and resolved; (c) Any breaks outstanding at month-end (with status and expected resolution); (d) Confirmation that client money coverage was adequate throughout the month; (e) Any material observations or concerns.

5.5.2 The Monthly Client Money Reconciliation Summary shall be submitted to the CFO by the fifth business day of the following month.

5.5.3 The CFO shall review the summary and provide a written sign-off confirming satisfaction with the reconciliation process and the accuracy of client money records, or documenting any concerns to be actioned. This sign-off shall be retained for a minimum of six years.

5.6 Monthly Client Money Position Report

5.6.1 Finance shall prepare a Monthly Client Money Position Report, presented to the CFO and shared with the Board, covering:

(a) Total client money held, by entity and currency; (b) Balance by client money category (merchant settlement, remittance, wallet, pre-funded, crypto proceeds); (c) Aggregate client ledger versus aggregate bank balance (by entity); (d) Status of designated client accounts (institution, balance, credit quality); (e) Summary of any reconciliation breaks in the period; (f) Any regulatory notifications made or received in relation to client money; (g) Any changes to designated account arrangements during the period.

5.6.2 The Monthly Client Money Position Report shall be presented to the Board as part of the regular CFO financial report.

5.7 Annual Client Money Audit

5.7.1 The Group shall commission an annual client money audit conducted by an external auditor acceptable to the DFSA and, where applicable, the FCA. The annual audit shall cover:

(a) Compliance with this Policy and applicable regulatory requirements in each jurisdiction; (b) Adequacy of internal controls over client money receipt, holding, disbursement, and reconciliation; (c) Accuracy of client ledger records and completeness of reconciliation; (d) Adequacy of banking documentation (account designations, trust acknowledgement letters); (e) Compliance with interest treatment requirements; (f) Adequacy of record-keeping.

5.7.2 The annual audit shall be completed and the audit report submitted to the Board no later than four months after the Group's financial year-end.

5.7.3 The CFO shall prepare an audit remediation plan in response to any findings or recommendations made by the external auditor. The remediation plan shall be presented to the Board within 30 days of receipt of the audit report, with target completion dates for each action.

5.7.4 Progress against the remediation plan shall be reported to the Board quarterly until all actions are closed.

6. Monitoring and Reporting

6.1 Ongoing Monitoring

The following monitoring activities shall be conducted on a continuous basis:

Activity Frequency Owner Reported To
Internal reconciliation (client ledger vs bank) Daily Head of Settlements Head of Treasury
Client money coverage adequacy check Daily Head of Treasury CFO (immediate if shortfall)
External reconciliation review Weekly Head of Settlements Head of Settlements sign-off
Break register review Weekly Head of Treasury CFO
Client money position report Monthly Finance CFO and Board
CFO reconciliation sign-off Monthly CFO Board record
Designated account register review Quarterly Head of Treasury CFO
Banking institution credit quality review Annually Head of Treasury CFO
Annual client money audit Annually External Auditor Board
Policy review Annually CFO Board approval

6.2 Regulatory Reporting

The CFO and Head of Legal shall maintain a regulatory reporting calendar covering all client money reporting obligations in each jurisdiction. This calendar shall be reviewed and updated at least quarterly. Key reporting obligations include:

  • DFSA: Annual client money audit report to be made available to the DFSA on request; prompt notification of any material breach of client money requirements;
  • FCA: Annual CASS audit; CASS compliance reporting as required by FCA rules; prompt notification of any material CASS breach;
  • FINTRAC: Compliance reporting as required under the MSB framework; trust account records to be available for inspection;
  • SBP: Client funds reporting as required by the SBP Payment Systems Operator licence conditions;
  • Other jurisdictions: As required by applicable local licensing conditions - managed by the relevant entity's compliance function in coordination with Group Compliance.

6.3 Key Performance Indicators

KPI Target Owner
Daily reconciliation completion rate 100% of business days Head of Settlements
Reconciliation breaks resolved within 5 business days 100% Head of Settlements
Breaks exceeding USD 10,000 escalated to CFO within 24 hours 100% Head of Settlements
Monthly client money position report delivered on time 100% Finance
CFO monthly sign-off completed on time 100% CFO
Annual audit report delivered within 4 months of year-end 100% External Auditor
Client money coverage shortfall incidents Zero Head of Treasury
Commingling incidents Zero Head of Treasury

7. Exceptions

7.1 Exception Process

Any request for an exception to this Policy must be submitted in writing to the CFO, with a full description of the exception sought, the business or operational reason, the associated risks, and proposed mitigating controls. No exception may be granted that would result in a breach of applicable law or regulation.

7.2 Approval Authority

Exceptions to this Policy may be approved only by the CFO (for operational exceptions) or the Board (for structural or regulatory exceptions). The MLRO and Head of Legal must be consulted on any exception with regulatory implications.

7.3 Exception Register

All approved exceptions shall be recorded in an exception register maintained by Finance, including the scope, duration, approver, and rationale. The exception register shall be reviewed by the CFO quarterly and presented to the Board Audit and Risk Committee annually.

7.4 Prohibited Exceptions

No exception shall be granted that would permit:

(a) Commingling of client money with the Group's own funds; (b) Use of client money to fund Simpaisa's operational expenses or capital requirements; (c) Failure to maintain a daily reconciliation; (d) Holding of client money at an institution that does not meet the credit quality requirements of this Policy, without CFO approval and documented rationale; (e) Any arrangement that would place client money at risk in a Simpaisa insolvency scenario.

  • AML/CFT Policy (SGP-FCC-001)
  • STR/SAR Filing Procedures (SGP-FCC-005)
  • Outsourcing and Third-Party Management Policy (SGP-OPS-002)
  • Operational Resilience Policy (SGP-OPS-001)
  • Fraud Risk Management Policy (SGP-FCC-003)
  • Data Governance Policy (SGP-CDO-001)
  • Treasury and Liquidity Management Policy (SGP-FIN-002)
  • Merchant Payment Services Agreement (standard form)

9. Appendices

Appendix A: Designated Client Account Register (Template)

Entity Account Holder Name Account Title Bank / Institution Account Number Currency Jurisdiction Regulatory Basis Trust Acknowledgement Obtained Date Established CFO Approval Date
[Entity] [Legal entity name] [Account title per Section 3.3.2] [Institution name] [Account number - redacted in distributed copy] [Currency] [Jurisdiction] [DFSA COB / CASS / FINTRAC / SBP / etc.] [Yes / No / Date] [Date] [Date]

The live Designated Client Account Register is maintained by the Head of Treasury and is available to authorised personnel via the internal finance system. It is updated immediately upon any change to account arrangements and reviewed in full quarterly.

Appendix B: Daily Reconciliation Process - Step-by-Step

  1. Finance team extracts the prior day's closing balance from each designated client account via the banking portal or MT940 statement feed.
  2. Finance team extracts the prior day's closing aggregate client ledger balance from the payments platform ledger, by entity and currency.
  3. Finance team compares (1) and (2) for each account.
  4. Where balances match within the de minimis tolerance of USD 10 (or equivalent), the reconciliation is recorded as Matched in the reconciliation log.
  5. Where a discrepancy exceeds USD 10 (or equivalent), a break is recorded in the break register with: date, account, amount of discrepancy, initial hypothesis on cause.
  6. The reconciliation log and break register are submitted to the Head of Settlements by 10:00 UAE time.
  7. Head of Settlements reviews and approves the reconciliation log; assigns ownership of each break investigation.
  8. Break investigations are conducted in accordance with Section 5.4 of this Policy.

Appendix C: Reconciliation Break Register (Template)

Break ID Date Identified Entity Account Currency Break Amount Break Direction (Over / Under) Initial Cause Hypothesis Investigation Owner Investigation Status Resolution Date Root Cause (Confirmed) Escalation Required (Y/N) CFO Notified (Date) Regulatory Notification Required (Y/N)
[Auto-generated]

Appendix D: Per-Jurisdiction Regulatory Reference Summary

Jurisdiction Primary Regulatory Framework Client Money Provisions Reporting Obligations Record-Keeping Minimum
UAE / DIFC DFSA COB Module, Appendix 1 Designated client money accounts; trust basis; approved bank; annual audit Annual audit available to DFSA; prompt breach notification 6 years
United Kingdom FCA CASS 7 Statutory trust; CASS-compliant bank; CASS resolution pack Annual CASS audit; FCA breach notification (immediate if material) 5 years (minimum)
Canada FINTRAC / provincial MSB legislation Trust account structure; records available for inspection MSB compliance reporting; FINTRAC inspection records 5 years
Pakistan SBP Payment Systems Operator conditions Designated account at SBP-approved bank; daily position as required SBP periodic reporting per licence conditions 5 years
Bangladesh Bangladesh Bank MFS/PSP framework Segregated account at scheduled commercial bank Bangladesh Bank periodic returns 5 years
Nepal NRB PSP/PSO Licence Conditions Client funds at NRB-designated commercial bank NRB reporting per licence 5 years
Iraq CBI Licensing Conditions Licensed Iraqi commercial bank; segregation documentation CBI periodic reporting 5 years
Singapore MAS Major Payment Institution conditions Trust; daily reconciliation; MAS breach notification MAS statutory returns 5 years

Appendix E: Glossary Cross-Reference

Defined terms used in this Policy are set out in Section 2. Where a term used in this Policy is also defined in an applicable regulatory instrument (DFSA COB, FCA CASS, etc.), the regulatory definition shall prevail in the context of compliance with that regulatory instrument, and this Policy shall be interpreted accordingly.

This Policy was approved by the Board of Directors of Simpaisa Group on [Approval Date]. It is effective from 1 April 2026 and shall be reviewed no later than 1 April 2027, or earlier if required by a material change in applicable regulation or the Group's business.

Owner: Mohammad Mustafa, Chief Financial Officer Classification: Internal - Restricted

---

POLICY 2: STR/SAR FILING PROCEDURES

SIMPAISA GROUP

STR/SAR FILING PROCEDURES

Field Detail
Document Reference SGP-FCC-005
Version 1.0
Status Active
Owner Money Laundering Reporting Officer (MLRO)
Approver Board of Directors
Effective Date 1 April 2026
Next Review Date 1 April 2027
Classification Confidential - MLRO Office

Document Control

Revision History

Version Date Author Changes
0.1 January 2026 MLRO Office Initial draft
0.2 February 2026 MLRO, Compliance, Legal Internal review and multi-jurisdiction alignment
0.3 March 2026 MLRO Regulatory review - DFSA, FINTRAC, UK POCA
1.0 April 2026 MLRO Board-approved final version

Distribution

This document is classified as Confidential - MLRO Office. It is distributed to the MLRO, the Deputy MLRO, the Chief Compliance Officer, Compliance personnel with designated AML responsibilities, and the Board of Directors. It is NOT distributed generally to staff. Employee-facing guidance on internal suspicion reporting obligations is communicated separately through the Internal Suspicion Reporting Procedure (a controlled document maintained by the MLRO). The existence of this document shall not be disclosed to persons outside the distribution list except as required by law or regulation.

  • AML/CFT Policy (SGP-FCC-001)
  • Customer Due Diligence and KYC Policy (SGP-FCC-002)
  • Fraud Risk Management Policy (SGP-FCC-003)
  • Sanctions Compliance Policy (SGP-FCC-004)
  • Client Money Policy (SGP-FIN-001)
  • Internal Suspicion Reporting Form (MLRO controlled document)
  • MLRO STR Decision Log (MLRO controlled document)
  • DFSA Anti-Money Laundering, Counter-Terrorist Financing and Sanctions Module (AML)
  • FCA SYSC and JMLSG Guidance
  • FINTRAC Compliance Programme requirements
  • Proceeds of Crime Act 2002 (UK), Part 7
  • UAE Federal Decree-Law No. 20 of 2018 on AML/CFT

1. Purpose and Scope

1.1 Purpose

These STR/SAR Filing Procedures ("Procedures") document the end-to-end process for identifying, internally reporting, assessing, and filing Suspicious Transaction Reports (STRs) and Suspicious Activity Reports (SARs) across all jurisdictions in which the Simpaisa Group operates.

The obligation to report suspicions of money laundering (ML) or terrorist financing (TF) to the relevant Financial Intelligence Unit (FIU) or competent authority is one of the most fundamental obligations of a regulated payments operator. Failure to file an STR/SAR when required, or filing one incorrectly, may constitute a criminal offence in multiple jurisdictions and exposes the Group, the MLRO personally, and individual employees to serious legal and regulatory consequences.

These Procedures are designed to ensure that:

(a) Every instance of suspected ML/TF identified anywhere in the Group is escalated to the MLRO promptly and through a secure channel; (b) The MLRO has a clear, documented framework for assessing internal reports and making file/no-file decisions; (c) STRs and SARs are filed with the correct authority, in the correct form, within the required timeframe, in every jurisdiction; (d) The tipping-off prohibition is understood and rigorously observed by all relevant personnel; (e) Records are maintained in accordance with the requirements of each applicable jurisdiction; (f) The quality and effectiveness of the STR/SAR process is subject to ongoing monitoring and independent review.

1.2 Scope

These Procedures apply to:

  • All legal entities within the Simpaisa Group;
  • The MLRO, Deputy MLRO, and all Compliance personnel with AML responsibilities;
  • All employees, contractors, and secondees who identify or receive information giving rise to a suspicion of ML/TF in the course of their duties;
  • All products and services offered by the Group, including Pay-Ins, Pay-Outs, Remittances, Crypto Off-Ramping, and White-Label Wallets;
  • All transaction types and all customer categories (merchants, retail end-users, business partners).

These Procedures apply in addition to, and do not replace, the obligations set out in the Group's AML/CFT Policy (SGP-FCC-001). In the event of any conflict between these Procedures and the AML/CFT Policy, the MLRO shall determine the applicable position, escalating to the Chief Compliance Officer if necessary.

2. Definitions

Term Definition
STR Suspicious Transaction Report - the form of report filed with a FIU or competent authority in most jurisdictions (used particularly in UAE, Pakistan, Bangladesh, Nepal, Iraq, Canada, and Singapore).
SAR Suspicious Activity Report - the terminology used in the United Kingdom for reports filed with the National Crime Agency (NCA) under the Proceeds of Crime Act 2002.
MLRO Money Laundering Reporting Officer - the individual appointed in accordance with applicable AML legislation and regulation to receive internal suspicion reports and make decisions on external filing. At Simpaisa, the MLRO is Shoukat Bizinjo.
Deputy MLRO The individual designated to act in the MLRO's absence with full authority to receive internal reports and make filing decisions.
Internal Report A report made by an employee to the MLRO (or Deputy MLRO in their absence) disclosing a suspicion of ML/TF.
Internal Suspicion Reporting Form The standardised form used by employees to submit internal reports to the MLRO. Maintained as a controlled document by the MLRO Office.
STR Decision Log The confidential log maintained personally by the MLRO recording every internal report received, the assessment conducted, and the file/no-file decision (with full rationale).
FIU Financial Intelligence Unit - the competent authority in each jurisdiction that receives and processes STRs/SARs.
Tipping-Off The disclosure to a person who is the subject of, or connected to, an STR/SAR (or to any other unauthorised person) that such a report has been, is being, or is intended to be filed. Tipping-off is a criminal offence in all jurisdictions relevant to the Group.
DAML Defence Against Money Laundering - a UK-specific mechanism under the Proceeds of Crime Act 2002 whereby the MLRO requests consent from the NCA before proceeding with a transaction that is the subject of a SAR.
goAML The FATF-standard web-based platform operated by the UAE FIU (and adopted by DIFC/DFSA) for the submission of STRs and other financial intelligence reports.
SONAR Singapore's STR Online Notification and Reporting platform, operated by the Suspicious Transaction Reporting Office (STRO).
ML Money laundering - the process by which criminally-derived funds are concealed, converted, or transferred to disguise their origin.
TF Terrorist financing - the provision or collection of funds with the intention or knowledge that they are to be used, in full or in part, to carry out a terrorist act or to support a terrorist organisation.
Reasonable Grounds to Suspect The objective test for whether a suspicion of ML/TF exists - whether a reasonable person in possession of the same information would form a suspicion. This test does not require certainty or proof.
Actual Suspicion The subjective test - whether the individual MLRO personally suspects ML/TF based on the information before them.
goAML The FATF-standard digital portal used for STR submission in UAE/DIFC.
PCMLTFA Proceeds of Crime (Money Laundering) and Terrorist Financing Act - Canada's primary AML/CFT legislation.
POCA Proceeds of Crime Act 2002 - UK primary legislation governing AML obligations and SAR filing.
BPSSR Bangladesh Anti-Money Laundering and Combating Financing of Terrorism Regulations 2014.

3. Policy Statements

3.1 Obligation to Report

3.1.1 Simpaisa Group and all its employees operating in any jurisdiction are legally obligated to report suspicions of money laundering or terrorist financing to the relevant competent authority. This obligation exists independently of whether the suspicious activity ultimately proves to involve criminal conduct.

3.1.2 The standard for reporting is suspicion, not certainty. An employee or the MLRO is not required to prove that ML or TF has occurred, is occurring, or is likely to occur. Where there are reasonable grounds to suspect ML/TF (the objective test), the obligation to report is engaged.

3.1.3 No employee shall be penalised, disadvantaged, or subject to adverse treatment for making an internal report of suspicion in good faith. The Group shall maintain a culture in which internal reporting of suspicions is encouraged, protected, and treated as a fulfilment of professional and legal duty.

3.1.4 The MLRO is personally responsible for the Group's STR/SAR filing function. This responsibility is not delegable, except to the Deputy MLRO in the MLRO's absence.

3.1.5 These Procedures shall take precedence over all commercial considerations. No revenue opportunity, client relationship, or business pressure shall influence the MLRO's file/no-file decision.

3.2 Tipping-Off Prohibition

3.2.1 The tipping-off prohibition is absolute. No person within the Group shall disclose - to the subject of a suspicion, to the customer, to any counterparty, or to any unauthorised person - that: (i) an internal report has been or will be made; (ii) an STR/SAR has been or will be filed; or (iii) an investigation into suspected ML/TF is underway or contemplated.

3.2.2 The prohibition applies to all forms of disclosure, including verbal, written, electronic, and indirect disclosure. An employee must not take any action that would alert the subject to the existence of a suspicion or a report.

3.2.3 Permitted disclosures (not constituting tipping-off) include:

(a) Disclosure to a regulatory or law enforcement authority, where required or permitted by law; (b) Intra-group disclosure for the purposes of ensuring compliance with AML/CFT obligations, where permitted by the law of the relevant jurisdictions (as determined by the MLRO); (c) Disclosure to the Group's legal advisers for the purpose of obtaining legal advice; (d) Disclosure required under a court order or compulsory legal process - in which case the MLRO must be informed immediately before any disclosure is made.

3.2.4 Consequences of tipping-off: tipping-off is a criminal offence in all jurisdictions relevant to the Group. Any employee found to have tipped off a subject shall be subject to immediate disciplinary action, up to and including dismissal, and the matter shall be reported to the MLRO and to the relevant regulatory authority.

4. Internal Suspicion Reporting

4.1 Employee Obligation to Report Internally

4.1.1 Any employee who, in the course of their duties, knows or suspects - or has reasonable grounds for knowing or suspecting - that a person is engaged in, or attempting to engage in, ML or TF, must make an internal report to the MLRO as soon as practicable and in any event within 24 hours of forming the suspicion.

4.1.2 The internal reporting obligation applies to all employees, including customer-facing staff, operations personnel, Finance, Treasury, Settlements, Technology, and senior management. There is no category of employee who is exempt from this obligation.

4.1.3 Where an employee is uncertain whether their concern rises to the level of suspicion, they shall err on the side of reporting. The MLRO will determine whether the suspicion threshold is met. An employee who reports in good faith on information that does not ultimately give rise to a filed STR/SAR shall not be penalised.

4.1.4 Employees shall NOT attempt to investigate their suspicion beyond what is necessary to make the internal report. Investigation is the responsibility of the MLRO. Employees must not disclose their suspicion to colleagues (except where strictly necessary to complete the internal report) or to the subject of the suspicion.

4.2 Internal Report Format

4.2.1 All internal reports shall be submitted to the MLRO using the Internal Suspicion Reporting Form, which is available through the secure internal compliance portal and via direct request to the MLRO Office.

4.2.2 The Internal Suspicion Reporting Form shall capture the following information:

(a) Reporter's name, role, and entity; (b) Date and time the suspicion was formed; (c) Details of the subject(s) of the suspicion (customer name, account number, entity type); (d) Description of the transaction(s) or activity giving rise to the suspicion, including: date(s), amounts, currencies, transaction reference numbers, originating and beneficiary details; (e) The specific reason(s) for suspicion - why the reporter considers the activity suspicious, with reference to red flags, alerts, or observed behaviour; (f) Supporting evidence available (transaction records, system alerts, documents, communications); (g) Whether the reporter has taken any action (for example, declined a transaction, placed a hold on an account); (h) Whether the reporter believes there is a risk of tipping-off if normal business continues.

4.2.3 The form must be completed as fully as possible. Where information is not available, the reporter shall indicate this and explain why. An incomplete form shall not delay submission - the reporter shall submit what they have and follow up with additional information as it becomes available.

4.3 Internal Reporting Channel

4.3.1 Internal reports shall be submitted via:

(a) Primary channel: secure submission through the internal compliance portal (details held by MLRO Office); or (b) Secondary channel (where portal is inaccessible): encrypted email to the MLRO's designated secure email address, with the subject line "CONFIDENTIAL - Internal Suspicion Report" and no further identifying information in the subject line.

4.3.2 Internal reports shall NOT be submitted via standard corporate email (unencrypted), instant messaging platforms, verbal communication alone, or any channel not designated in Section 4.3.1. Where a verbal report is made (for example, in an urgent situation), it must be followed by a written Internal Suspicion Reporting Form submission within four hours.

4.3.3 The MLRO's secure email address and portal access details are maintained in a controlled document held by the MLRO Office. They are shared with employees at onboarding and upon AML training completion. They are not published generally on the intranet to maintain the confidentiality of the channel.

5. MLRO Assessment and Decision

5.1 Review Timeframe

5.1.1 Upon receipt of an internal report, the MLRO (or Deputy MLRO in their absence) shall acknowledge receipt to the reporter within four hours.

5.1.2 The MLRO shall complete an initial review of the internal report within 48 hours of receipt in standard cases.

5.1.3 In urgent cases - defined as cases where: (i) a transaction is currently pending execution; (ii) there is an immediate risk of asset flight; or (iii) the suspected activity involves terrorist financing - the MLRO shall complete the initial review within 24 hours of receipt and shall take any necessary interim protective measures (see Section 8 of these Procedures) without delay.

5.1.4 Where the MLRO requires additional information to complete the assessment, they shall request it from the reporter or from relevant internal functions within 24 hours of receipt of the internal report. The request for further information does not suspend the filing obligation - if information is not received within a reasonable time and the suspicion threshold is met on the available information, the MLRO shall proceed to file.

5.2 Assessment Factors

5.2.1 In assessing an internal report, the MLRO shall consider:

(a) Whether the reasonable grounds test for suspicion is met on the information available - i.e., whether a reasonable and informed professional in the MLRO's position would form a suspicion of ML/TF; (b) The nature, pattern, and context of the transaction(s) or activity - including whether they are consistent with the customer's known profile, business, and transactional history; (c) Applicable red flags and typologies for the relevant product type (remittance, merchant payments, crypto off-ramp, wallet), customer segment, and corridor; (d) Results of any relevant transaction monitoring alerts, KYC reviews, or adverse media searches; (e) Whether the activity may have a legitimate explanation that has not been adequately explored - and if so, whether further customer due diligence can be conducted without creating a tipping-off risk; (f) Whether the suspicion relates to ML only, TF only, or both; (g) The applicable jurisdiction(s) and whether a filing obligation exists in those jurisdictions; (h) The urgency of any required action (transaction pending, asset at risk).

5.2.2 The MLRO shall not apply a commercial filter to the assessment. The profitability of a customer relationship, the volume of business at risk, or the prospect of regulatory scrutiny shall not influence the assessment. The sole consideration is whether the suspicion threshold is met.

5.3 MLRO Decision

5.3.1 Following the assessment, the MLRO shall make one of the following decisions:

(a) File STR/SAR: the MLRO is satisfied that reasonable grounds for suspicion of ML/TF exist, and the obligation to file is engaged. The MLRO shall proceed to file in accordance with Section 6 of these Procedures;

(b) Do not file: the MLRO is satisfied that, on the available information, the suspicion threshold is not met and there is a reasonable and documented explanation for the activity. The rationale for the no-file decision must be recorded in full in the STR Decision Log;

(c) Request further information: the MLRO requires additional information before making a determination. Further information is requested from internal functions, and the assessment is paused - but only for the minimum time necessary and only where the delay does not prejudice any filing obligation.

5.3.2 The MLRO's decision is personal and non-delegable. Only the Deputy MLRO, acting in the MLRO's absence, may make an STR/SAR decision. The Deputy MLRO shall notify the MLRO of any decisions made in their absence at the earliest opportunity.

5.3.3 The MLRO shall record every decision - whether to file or not to file - in the STR Decision Log with full reasoning. A no-file decision is as significant a regulatory document as a filed STR, and shall be recorded with equal rigour. The decision log entry shall include: report reference number; date of receipt; date of decision; summary of assessment; decision; rationale; any further action required.

5.4 Deputy MLRO

5.4.1 The MLRO shall designate a Deputy MLRO who has sufficient seniority, knowledge of the Group's AML/CFT obligations, and access to the STR Decision Log and relevant systems to discharge the MLRO function in the MLRO's absence.

5.4.2 The Deputy MLRO designation shall be documented in writing and approved by the Board. The identity of the Deputy MLRO shall be communicated to Compliance personnel.

5.4.3 The Deputy MLRO shall receive the same training as the MLRO in STR/SAR filing obligations across all relevant jurisdictions.

6. Filing Procedures by Jurisdiction

6.1 General Principles

6.1.1 Where the MLRO has decided to file an STR/SAR, the filing shall be made to the competent authority in the jurisdiction(s) where: (i) the suspicious activity occurred; (ii) the Group entity involved holds its regulatory licence; and/or (iii) the applicable AML/CFT legislation requires filing. Where multiple jurisdictions are implicated, the MLRO shall determine whether filings are required in more than one jurisdiction.

6.1.2 Filing shall be completed within the timeframe specified by the applicable regulatory regime in each jurisdiction. Where no specific timeframe is prescribed, the MLRO's standard is to file as soon as reasonably practicable and in any event within five business days of the MLRO's decision to file.

6.1.3 All filed STRs/SARs shall be: accurate and complete on the information available at the time of filing; submitted via the designated portal or channel for the relevant jurisdiction; accompanied by any mandatory supporting documentation; and followed up promptly if the FIU requests further information.

6.2 UAE and DIFC

6.2.1 Applicable framework: UAE Federal Decree-Law No. 20 of 2018 on AML/CFT and its implementing regulations; DFSA AML Module; DIFC Law No. 1 of 2012 (as amended). The UAE FIU (goAML platform) is the primary reporting authority for UAE-domiciled entities. The DFSA must also be notified where the filing relates to regulated activities of the DIFC entity.

6.2.2 Filing portal: goAML (https://www.uaefiu.gov.ae/goAML). The MLRO shall maintain valid access credentials for the DIFC entity on goAML. Credentials shall be reviewed and refreshed annually.

6.2.3 Filing process: (a) The MLRO logs into the goAML portal and selects the STR report type; (b) The report is completed with subject details, transaction details, grounds for suspicion, and supporting narrative; (c) Relevant supporting documents (transaction records, KYC documents, internal report) are uploaded; (d) The report is submitted and the goAML reference number is recorded in the STR Decision Log; (e) A copy of the submitted report is retained by the MLRO in secure storage.

6.2.4 DFSA notification: Where an STR relates to the regulated activities of the DIFC entity, the MLRO shall notify the DFSA in accordance with the AML Module requirements. The notification shall be made promptly and shall not duplicate the content of the goAML filing in a manner that could prejudice any investigation.

6.2.5 Timeframe: As soon as reasonably practicable upon forming a suspicion. The UAE AML Law does not prescribe a specific number of days, but best practice and regulatory expectation is prompt filing. The MLRO shall not delay filing pending the outcome of transaction monitoring alone.

6.3 United Kingdom

6.3.1 Applicable framework: Proceeds of Crime Act 2002 (POCA), Part 7; Terrorism Act 2000, Part III; Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017); JMLSG Guidance. The National Crime Agency (NCA) is the competent authority. SARs are submitted via SAR Online.

6.3.2 Filing portal: SAR Online (https://www.nationalcrimeagency.gov.uk/what-we-do/crime-threats/money-laundering-and-illicit-finance/ukfiu/sar-online). The MLRO shall maintain valid access credentials for the UK entity.

6.3.3 Filing process: (a) The MLRO logs into SAR Online and completes the SAR form; (b) The SAR includes: subject details; transaction details; basis for suspicion in sufficient narrative detail; any relevant prior SARs relating to the same subject; (c) The SAR is submitted and the NCA reference number is recorded in the STR Decision Log; (d) A copy of the submitted SAR is retained by the MLRO in secure storage.

6.3.4 Timeframe: As soon as practicable after the MLRO makes the decision to file. There is no statutory deadline in POCA for standard SAR filing, but the MLRO should file promptly. The JMLSG recommends filing within a reasonable time of the suspicion crystallising.

6.3.5 DAML - Defence Against Money Laundering consent:

(a) Where the MLRO has a suspicion and a relevant transaction is pending execution, the MLRO must not authorise the transaction to proceed without first obtaining consent from the NCA under the DAML regime (POCA 2002, sections 335–338), unless proceeding is necessary to avoid tipping-off the subject;

(b) The MLRO shall submit the SAR via SAR Online and request consent before the transaction proceeds;

(c) The NCA has seven working days from the "notice period" commencement date to either give consent or refuse consent. If the NCA does not respond within seven working days, the transaction may proceed;

(d) If the NCA refuses consent within the seven-day notice period, a further 31-day "moratorium period" commences during which the transaction must not proceed. If the NCA takes no further action within the moratorium period, the transaction may then proceed;

(e) The MLRO shall maintain a DAML consent register recording all instances where consent is sought, the dates of the notice and moratorium periods, and the NCA's response;

(f) The MLRO shall seek legal advice from the Group's UK legal advisers on any complex DAML situation, including where the NCA refuses consent.

6.3.6 Tipping-off in the UK context: Under POCA 2002 section 333A, tipping off is a criminal offence. The MLRO shall ensure that, where a DAML consent has been sought, no employee communicates to the customer any reason relating to the delay. Where a customer inquiry about a delayed transaction is received, the standard response shall be approved by the MLRO and legal counsel in advance.

6.4 Canada

6.4.1 Applicable framework: Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and FINTRAC Guidelines. FINTRAC is the FIU. All Canadian Money Services Businesses (MSBs) are required to report to FINTRAC.

6.4.2 Filing portal: FINTRAC's secure reporting portal (www.fintrac-canafe.gc.ca/reporting-declaration/). The MLRO shall maintain access credentials for the Canadian entity.

6.4.3 STR filing: A Suspicious Transaction Report must be filed with FINTRAC within 30 days of the date on which the MSB determines that it has reasonable grounds to suspect that a transaction or attempted transaction is related to ML or TF. The 30-day clock runs from the date of the determination, not the date of the transaction.

6.4.4 Large Cash Transaction Report (LCTR): An LCTR must be filed within 15 days of the receipt of cash of CAD 10,000 or more in a single transaction (or two or more transactions totalling CAD 10,000 or more made within 24 hours by or on behalf of the same person). The LCTR obligation is separate from and independent of the STR obligation.

6.4.5 Electronic Funds Transfer Report (EFTR): An EFTR must be filed within 5 business days of sending or receiving an international electronic funds transfer of CAD 10,000 or more. The EFTR obligation is separate from the STR obligation.

6.4.6 The MLRO shall ensure that the Group's Canadian operations maintain systems and processes to identify LCTR and EFTR obligations on an automated basis, and that reports are filed within the prescribed timeframes.

6.5 Pakistan

6.5.1 Applicable framework: Anti-Money Laundering Act, 2010 (AMLA); AML/CFT Regulations, 2015; SBP BPRD Circulars and AML/CFT Compliance Manual. The Financial Monitoring Unit (FMU) is Pakistan's FIU. The SBP also receives notifications from regulated payment system operators.

6.5.2 Filing channel: STRs are filed with the FMU via the FMU reporting portal or, pending implementation of the portal, via the FMU's prescribed form submitted by secure means as directed by the FMU.

6.5.3 Timeframe: Pakistan's AML framework requires reporting immediately upon forming a suspicion. The MLRO shall interpret "immediately" as requiring filing on the same day that the MLRO makes the decision to file, or no later than the following business day in cases where same-day filing is not operationally possible.

6.5.4 SBP notification: In addition to FMU filing, the SBP shall be notified where required by the terms of the relevant SBP licence or as required by SBP Circulars. The MLRO shall maintain a current understanding of SBP notification requirements and shall consult with the Group's Pakistan legal counsel where any uncertainty arises.

6.6 Bangladesh

6.6.1 Applicable framework: Money Laundering Prevention Act, 2012 (MLPA); Anti-Terrorism Act, 2009; Bangladesh Financial Intelligence Unit (BFIU) Circular No. 05 and related guidance; Bangladesh Bank Prevention of Money Laundering Regulations (BPSSR) 2014. The BFIU is Bangladesh's FIU.

6.6.2 Filing channel: STRs are filed with the BFIU via the BFIU's prescribed channel. The MLRO shall ensure the Bangladesh entity's compliance officer maintains access to the BFIU reporting system.

6.6.3 Timeframe: Reporting under the MLPA and BPSSR 2014 is required immediately upon forming a suspicion. The MLRO's standard for Bangladesh is same-day or next-business-day filing following the decision to file.

6.7 Nepal

6.7.1 Applicable framework: Asset (Money) Laundering Prevention Act, 2008 (ALPA) and associated rules; NRB Unified Directives; NRB/FIU reporting guidelines. The FIU Nepal (operating under Nepal Rastra Bank) is the competent authority.

6.7.2 Filing channel: STRs are filed with FIU Nepal via the channel prescribed by the FIU, which may include the Goaml portal (being implemented by FIU Nepal) or other secure submission mechanisms as directed.

6.7.3 Timeframe: Reporting is required immediately upon suspicion. The MLRO's standard for Nepal is same-day or next-business-day filing following the decision to file.

6.8 Iraq

6.8.1 Applicable framework: Anti-Money Laundering and Terrorism Financing Law No. 39 of 2015; CBI AML/CFT instructions. The Iraqi Anti-Money Laundering Office (AMLO), operating under the Central Bank of Iraq (CBI), is the competent authority.

6.8.2 Filing channel: STRs are filed with the CBI AMLO via the mechanism prescribed by the CBI (currently paper or electronic submission as directed by the CBI). The MLRO shall ensure the Iraq entity maintains current knowledge of the required submission channel.

6.8.3 Timeframe: Reporting is required immediately upon suspicion under Iraqi AML law. The MLRO's standard for Iraq is same-day or next-business-day filing following the decision to file.

6.9 Singapore

6.9.1 Applicable framework: Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act (CDSA); Terrorism (Suppression of Financing) Act (TSOFA); MAS Notice PSN02 on Prevention of Money Laundering and Countering the Financing of Terrorism (for Major Payment Institutions). The Suspicious Transaction Reporting Office (STRO), under the Singapore Police Force, is the competent authority.

6.9.2 Filing portal: SONAR (Suspicious Transaction Online Notification and Reporting system) - accessible via eCitizen or the STRO portal. The MLRO shall maintain access credentials for the Singapore HoldCo entity.

6.9.3 Timeframe: Filing shall be made as soon as reasonably practicable after forming suspicion. The CDSA does not specify a fixed number of days, but regulatory expectation is prompt filing.

7. Transaction Handling During STR Assessment

7.1 Default Position - Hold

7.1.1 Where an internal report has been made to the MLRO and the MLRO's assessment is in progress, the default position is that the suspicious transaction shall not be executed, released, or progressed until the MLRO has: (i) assessed the internal report; (ii) made a file/no-file decision; and (iii) in jurisdictions with a consent regime (notably the UK), obtained the necessary consent.

7.1.2 The Head of Settlements and Head of Treasury shall be informed by the MLRO (or designee) that a transaction is subject to an MLRO hold, without disclosing the reason for the hold (consistent with the tipping-off prohibition). Operational staff shall be provided with a standard internal holding instruction that does not disclose the existence of a suspicion.

7.2 Exception - Proceed to Avoid Tipping-Off

7.2.1 Where delaying or refusing a transaction would in itself alert the customer to the existence of a suspicion (i.e., create a tipping-off risk), the MLRO may authorise the transaction to proceed. Where the MLRO authorises proceeding in these circumstances:

(a) The decision and rationale shall be recorded in the STR Decision Log immediately; (b) The STR/SAR shall be filed as soon as practicable - and in any event the same business day as the transaction is authorised to proceed; (c) The MLRO shall ensure that enhanced monitoring is applied to the customer's subsequent transactions pending the FIU's response.

7.2.2 The tipping-off exception to the hold position shall not be used to avoid the inconvenience of a hold or to preserve a commercial relationship. It applies only where there is a genuine, documented risk of tipping-off.

7.3 Crypto-Specific: Wallet Freezing

7.3.1 Where a suspicion relates to a crypto off-ramp transaction or a white-label wallet balance, the MLRO shall instruct the relevant technology team to freeze the withdrawal or disbursement function for the relevant wallet or transaction immediately upon receiving the internal report.

7.3.2 The wallet freeze instruction shall be issued by the MLRO (or Deputy MLRO) in writing (secure email to the relevant technology function) and shall specify: the wallet address or account identifier; the scope of the freeze (specific transaction or all outbound transactions); and the authorisation reference.

7.3.3 The freeze shall remain in place until the MLRO provides written authorisation to release, or until a direction is received from a competent authority.

7.3.4 The existence of a wallet freeze shall not be disclosed to the customer. Where the customer inquires about inability to access their wallet, the standard response shall be a pre-approved holding message (approved by the MLRO and legal counsel) that does not reveal the reason for the restriction.

8. Quality Assurance

8.1 Quarterly STR Quality Review

8.1.1 The MLRO shall conduct a quarterly review of all STRs filed in the preceding quarter. The review shall assess:

(a) Timeliness of internal reporting (employee to MLRO) and external filing (MLRO to FIU); (b) Quality and completeness of filed STRs - narrative clarity, supporting documentation, accuracy of subject and transaction details; (c) Consistency of filing decisions - whether similar patterns of activity are being treated consistently across different reporters and business lines; (d) FIU feedback received (queries, requests for further information, rejections) and patterns arising from such feedback; (e) Whether the Group's detection rules and transaction monitoring scenarios are identifying the types of activity that are being reported, or whether there are gaps.

8.1.2 The quarterly review findings shall be recorded in a Quality Assurance Log maintained by the MLRO Office. Where findings indicate a systemic issue with quality, detection, or consistency, the MLRO shall take corrective action and report the issue to the Board Audit and Risk Committee.

8.2 Annual Independent Review

8.2.1 The STR/SAR process shall be subject to an annual independent review, conducted by either:

(a) The Group's Internal Audit function; or (b) An external AML/CFT specialist, where Internal Audit does not have the requisite expertise.

8.2.2 The annual independent review shall assess: (i) compliance with these Procedures and applicable regulatory requirements; (ii) the adequacy of controls over internal reporting, MLRO assessment, filing, and record-keeping; (iii) the quality and completeness of STR Decision Log entries; (iv) the effectiveness of training and awareness; and (v) any recommendations for improvement.

8.2.3 The report from the annual independent review shall be submitted to the MLRO and to the Board Audit and Risk Committee. The MLRO shall prepare a remediation plan in response to any findings, with target completion dates.

8.3 Regulatory Feedback Loop

8.3.1 The MLRO shall maintain a record of all feedback received from FIUs in response to filed STRs/SARs, including: requests for additional information; acknowledgements of receipt; feedback on quality; and any law enforcement outcomes (where disclosed by the FIU).

8.3.2 FIU feedback shall be used to: (i) refine the Group's transaction monitoring detection rules; (ii) update internal typologies and red flag guidance; (iii) improve the quality of future STR/SAR filings; and (iv) inform the Group's annual AML/CFT risk assessment.

8.3.3 Where an FIU contacts the Group following a filed STR/SAR to request additional information or documents, the MLRO shall respond promptly and within any timeframe specified by the FIU. The MLRO shall coordinate with relevant internal functions (Finance, Settlements, Technology) to retrieve the requested information, without disclosing to those functions the nature or subject of the FIU inquiry beyond what is strictly necessary.

9. Record-Keeping

9.1 Retention Requirements

All records relating to internal suspicion reports, MLRO assessments, filed STRs/SARs, and supporting evidence shall be retained in accordance with the following requirements:

Record Type Retention Period Owner
Internal Suspicion Reporting Forms Minimum 6 years from date of submission (DFSA); 5 years from date of transaction (FINTRAC); 5 years from date of filing (POCA UK) MLRO Office
STR Decision Log entries Minimum 6 years from date of decision (DFSA baseline) MLRO
Filed STR/SAR copies and supporting documents Minimum 6 years from date of filing (DFSA); 5 years (FINTRAC, POCA) MLRO Office
Transaction records supporting filed STRs Per the AML/CFT Policy record-keeping requirements - minimum 5 years Finance / Compliance
Customer due diligence records related to filed STRs Minimum 5 years from end of customer relationship Compliance / KYC function
DAML consent register (UK) Minimum 5 years from date of SAR filing MLRO Office
FIU correspondence and feedback Minimum 6 years MLRO Office
Quality Assurance Log Minimum 6 years MLRO Office

Where different retention periods apply across jurisdictions, the longer period shall apply to any record that is relevant to obligations in multiple jurisdictions.

9.2 Storage and Security

9.2.1 All STR/SAR records, including the STR Decision Log, are highly sensitive documents. They shall be stored in a secure, access-controlled location (physical or digital) accessible only to the MLRO, Deputy MLRO, and persons expressly authorised by the MLRO.

9.2.2 Digital STR/SAR records shall be stored in an encrypted environment with access logging. Access logs shall be reviewed by the MLRO quarterly.

9.2.3 STR/SAR records shall not be stored in shared drives, general compliance repositories, or any system accessible to business line personnel.

9.2.4 In the event of a data breach involving STR/SAR records, the MLRO shall be notified immediately and shall assess and manage notification obligations to regulatory authorities.

9.3 Production on Regulatory Inspection

9.3.1 In the event of a regulatory inspection or audit by any FIU or regulatory authority, the MLRO shall manage the production of STR/SAR records. Records shall be produced in the format and within the timeframe requested by the authority.

9.3.2 The MLRO shall liaise with the Head of Legal prior to and during any inspection to ensure that records are produced appropriately and that any legally privileged materials are identified and handled correctly.

10. Reporting and Governance

10.1 Monthly MLRO Report

10.1.1 The MLRO shall submit a monthly report to the Compliance Committee (or, in its absence, the Chief Compliance Officer) covering:

(a) Number of internal suspicion reports received in the month, by business line and product; (b) Number of MLRO decisions made: to file, not to file, and pending; (c) Number of STRs/SARs filed in the month, by jurisdiction; (d) Average time from internal report receipt to MLRO decision; (e) Average time from MLRO decision to external filing; (f) Any instances of transaction holds, wallet freezes, or DAML consent requests; (g) Any regulatory feedback or enquiries received; (h) Any material concerns arising from the period.

10.1.2 The monthly report shall be prepared on a basis that protects the confidentiality of individual STR/SAR subject details.

10.2 Quarterly Report to Board Audit and Risk Committee

10.2.1 The MLRO shall submit a quarterly STR Analysis Report to the Board Audit and Risk Committee. This report shall be anonymised (no subject-identifying information) and shall include:

(a) STR/SAR volumes and trends (quarter-on-quarter and year-on-year); (b) Filing timeliness against the KPIs in Section 10.4; (c) Breakdown by jurisdiction, product type, and customer segment; (d) Summary of quality assurance findings; (e) Any regulatory feedback or FIU enquiries; (f) Emerging typologies or red flags identified from the period's activity; (g) Any material concerns or recommendations for Board consideration.

10.3.1 The MLRO shall produce an Annual STR Trends Analysis as part of the input to the Group's Annual AML/CFT Risk Assessment. This analysis shall cover:

(a) Full-year STR/SAR volumes by jurisdiction, product, and customer segment; (b) Year-on-year trend analysis; (c) Assessment of whether the Group's detection rules are calibrated to identify the risk typologies identified in the risk assessment; (d) Recommendations for changes to monitoring rules, policies, or training arising from the year's experience; (e) Assessment of regulatory developments in each jurisdiction that may affect STR/SAR obligations.

10.4 Key Performance Indicators

KPI Target Owner Reporting Frequency
Internal reports submitted within 24 hours of suspicion forming 100% All employees (monitored by MLRO) Monthly
MLRO initial review completed within 48 hours (standard) 100% MLRO Monthly
MLRO initial review completed within 24 hours (urgent) 100% MLRO Monthly
STR/SAR filed within required regulatory timeframe (by jurisdiction) 100% MLRO Monthly
STR Decision Log entries completed for all decisions (file and no-file) 100% MLRO Monthly
STRs with no FIU queries or returns (quality indicator) Target >90% MLRO Quarterly
Annual independent review completed within Q1 of each year 100% MLRO Annually
Quarterly QA review completed 100% MLRO Quarterly
Employee AML training completion (including STR obligations) 100% annually MLRO / HR Annually

11. Exceptions

11.1 No Exceptions to Filing Obligation

There shall be no exceptions to the obligation to file an STR/SAR where the MLRO has determined that the suspicion threshold is met. The filing obligation is a legal requirement and cannot be waived by any member of management, the Board, or any commercial consideration.

11.2 Procedural Exceptions

Where an exception to a procedural requirement in these Procedures is necessary (for example, due to a system outage affecting the compliance portal), the MLRO may approve a temporary procedural variation with documented rationale. The variation shall be of the minimum scope and duration necessary, and shall be recorded in the Quality Assurance Log. The MLRO shall notify the Chief Compliance Officer of any procedural variation.

11.3 Regulatory Exceptions

Where a regulatory authority in any jurisdiction provides guidance or direction that conflicts with these Procedures, the MLRO shall apply the regulatory authority's direction and update these Procedures accordingly at the next available opportunity.

  • AML/CFT Policy (SGP-FCC-001)
  • Customer Due Diligence and KYC Policy (SGP-FCC-002)
  • Fraud Risk Management Policy (SGP-FCC-003)
  • Sanctions Compliance Policy (SGP-FCC-004)
  • Client Money Policy (SGP-FIN-001)
  • Whistleblowing Policy (SGP-GOV-002)
  • Operational Resilience Policy (SGP-OPS-001)

13. Appendices

Appendix A: Internal Suspicion Reporting Form (Template)

CONFIDENTIAL - MLRO USE ONLY

Field Details
Report Reference Number [Auto-generated by compliance portal]
Date and Time of Submission
Reporter Name
Reporter Role and Entity
Date and Time Suspicion Formed
Subject Name(s)
Subject Account Number(s)
Subject Customer Type Merchant / End-User / Partner / Unknown
Transaction Date(s)
Transaction Amount(s) and Currency
Transaction Reference Number(s)
Originating Account / Wallet / Corridor
Beneficiary Account / Wallet / Country
Product Involved Pay-In / Pay-Out / Remittance / Crypto Off-Ramp / Wallet
Description of Suspicious Activity [Full narrative]
Specific Reason(s) for Suspicion [Red flags, alert references, behavioural observations]
Supporting Evidence Available [List documents, screenshots, alert IDs]
Action Taken by Reporter (if any) [e.g., declined transaction, placed hold]
Tipping-Off Risk Assessment [Does normal business continuation risk tipping-off? Y/N - Explain]
Reporter Signature

Appendix B: MLRO STR Decision Log Template

STRICTLY CONFIDENTIAL - MLRO OFFICE ONLY

Field Details
Internal Report Reference
Date Internal Report Received
Date MLRO Assessment Commenced
Date MLRO Decision Made
MLRO Decision File STR / Do Not File / Pending Further Information
Jurisdiction(s) of Filing (if applicable)
Filing Reference Number(s)
Date of External Filing
Assessment Summary [MLRO's analysis of the suspicion threshold and relevant factors]
Rationale for Decision [Full rationale - mandatory for both file and no-file decisions]
Transaction Hold Placed? Y/N
Wallet Freeze Instructed? Y/N
DAML Consent Sought (UK)? Y/N - NCA Reference - Date Consent/Deemed Consent Received
Further Information Requested? Y/N - From Whom - Date Received
Follow-Up Actions Required
MLRO Signature

Appendix C: Jurisdiction Filing Reference Guide

Jurisdiction FIU / Authority Platform / Channel STR Timeframe LCTR/EFTR Tipping-Off Offence Reference
UAE / DIFC UAE FIU + DFSA goAML portal Immediately / as soon as practicable N/A UAE AML Law Art. 22
United Kingdom NCA (UKFIU) SAR Online As soon as practicable; DAML if transaction pending N/A POCA 2002, s.333A
Canada FINTRAC FINTRAC Reporting Portal Within 30 days of determination LCTR: 15 days (CAD 10K+); EFTR: 5 days (CAD 10K+) PCMLTFA s.8
Pakistan FMU FMU portal / prescribed form Immediately upon suspicion N/A AMLA 2010, s.7
Bangladesh BFIU BFIU prescribed channel Immediately upon suspicion N/A MLPA 2012
Nepal FIU Nepal goAML / FIU Nepal channel Immediately upon suspicion N/A ALPA 2008
Iraq CBI AMLO CBI prescribed mechanism Immediately upon suspicion N/A AML Law No. 39/2015
Singapore STRO (SPF) SONAR As soon as reasonably practicable N/A CDSA s.39

Appendix D: Red Flag Typologies by Product

Pay-Ins and Merchant Payments - Merchant transaction volumes significantly exceeding onboarding projections with no business explanation - High proportion of chargebacks or reversals relative to transaction volume - Unusual geographic patterns of inbound payments (originating from high-risk jurisdictions inconsistent with merchant's business) - Multiple transactions just below reporting thresholds ("structuring") - Merchants receiving funds from multiple unrelated third parties not consistent with their stated business

Remittances - Customer sending large volumes of remittances to multiple beneficiaries in different jurisdictions with no apparent family or business connection - Frequent changes to beneficiary details with no explanation - Customers paying in cash for remittance transactions at or near reporting thresholds - Remittances to high-risk jurisdictions or sanctioned countries without legitimate justification - Patterns of incoming funds from one source immediately transferred out to multiple recipients ("pass-through" behaviour)

Crypto Off-Ramping - Customer converting cryptocurrency to fiat immediately upon receipt with no knowledge of the source of the crypto - Crypto proceeds originating from wallets flagged by blockchain analytics as having links to darknet markets, ransomware, or sanctioned entities - Requests to convert large amounts of privacy coins (Monero, Zcash) with no legitimate explanation - Structuring of crypto conversions across multiple transactions to stay below reporting thresholds

White-Label Wallets - Wallet accounts receiving large inflows from multiple unrelated parties followed by immediate withdrawal - Dormant wallets suddenly becoming highly active with large volumes - Wallet-to-wallet transfers between accounts with no apparent commercial relationship - Requests to withdraw wallet balances to accounts in jurisdictions inconsistent with the customer's profile

Appendix E: Regulatory Framework Quick Reference - Key AML Legislation

Jurisdiction Primary AML Legislation TF Legislation Regulator
UAE / DIFC Federal Decree-Law No. 20/2018; DFSA AML Module Federal Law No. 7/2014 (amended) DFSA / UAE FIU
United Kingdom Proceeds of Crime Act 2002; MLR 2017 Terrorism Act 2000 FCA / NCA
Canada PCMLTFA 2000 (as amended) Criminal Code (terrorism financing) FINTRAC
Pakistan Anti-Money Laundering Act 2010; AML/CFT Regulations 2015 Anti-Terrorism Act 1997 FMU / SBP
Bangladesh Money Laundering Prevention Act 2012 Anti-Terrorism Act 2009 BFIU / Bangladesh Bank
Nepal Asset (Money) Laundering Prevention Act 2008 ATPA 2012 FIU Nepal / NRB
Iraq AML and TF Law No. 39/2015 Anti-Terrorism Law 2005 CBI AMLO
Singapore CDSA (Cap. 65A); MAS Notice PSN02 TSOFA (Cap. 325) MAS / STRO

These Procedures were approved by the Board of Directors of Simpaisa Group on [Approval Date]. They are effective from 1 April 2026 and shall be reviewed no later than 1 April 2027, or earlier if required by a material change in applicable regulation or the Group's business operations.

Owner: Shoukat Bizinjo, Money Laundering Reporting Officer Classification: Confidential - MLRO Office