Simpaisa Group¶
Board Presentation and DFSA Category 3D Evidence Matrix¶
Classification: Confidential - Board and Counsel Distribution Only
Prepared by: Chief Digital Officer
Date: April 2026
Version: 1.0
PART A: BOARD PRESENTATION DECK¶
Simpaisa Group Operating Model v1.0¶
Slide 1 - Title¶
SIMPAISA GROUP Operating Model v1.0
Presented to the Board of Directors April 2026
| Presented by | Daniel O'Reilly, Chief Digital Officer |
| Classification | Confidential - Board Distribution Only |
| Document | Operating Model v1.0 - Board Approval Pack |
For review and approval by the Board of Simpaisa Holdings PTE. Limited Nadeem Hussain, Non-Executive Chairman
Slide 2 - Executive Summary¶
What this is - The Simpaisa Group Operating Model v1.0 - a single authoritative document codifying how the Group is governed, operated, and controlled across 9 entities, 7 jurisdictions, and 180 employees. - 28 sections, 8 standalone policies, approximately 12,000 lines; produced by the CDO function in Days 1–5.
Why now - Simpaisa's expansion trajectory - DFSA Cat 3D, SAMA Major PI, Kazakhstan - demands an institutional-grade operating model. Regulators at this tier require a written, auditable account of how the Group functions. - The business has outgrown informal governance. A $1B+ processor with 9 entities and live operations in 7 markets requires explicit accountability structures, delegation frameworks, and documented controls.
What it enables - Immediate: DFSA Category 3D licence application - the Operating Model and standalone policies constitute the substantive governance and compliance submission. - Medium-term: Board confidence, investor credibility, and scalable onboarding as headcount and geography grow. - Long-term: A governance infrastructure that absorbs Saudi Arabia, Kazakhstan, and MENA without structural redesign.
Slide 3 - Company at a Glance¶
| Metric | Detail |
|---|---|
| Founded | 2016, Singapore |
| HoldCo | Simpaisa Holdings PTE. Limited (Singapore) |
| Group Entities | 9 across Singapore, Pakistan, Bangladesh, Nepal, Iraq, UAE, UK, Canada |
| Headcount | 180 employees |
| Management HQ | DIFC, Dubai (GMT+4) |
| Transaction Volume | $1B+ processed |
| Stage | Profitable; primary objective is scale-up and growth |
| Active Markets | Pakistan, Bangladesh, Nepal, Canada (remittances), Iraq |
| Expansion Markets | UAE (DFSA), Saudi Arabia (SAMA), Kazakhstan |
| Key Merchants | Google, Samsung, Temu, Tencent, Garena, dLocal, Thunes, TerraPay, InDrive, Muzz |
| Investors | Planet N Group (Nadeem Hussain), Sarmayacar VC |
| Shareholders | See corporate structure; HoldCo is Singapore-domiciled |
Slide 4 - Corporate Structure¶
Simpaisa Group - 9 Entities
Simpaisa Holdings PTE. Limited [Singapore HoldCo]
│
├── PublishEx Solutions PVT Limited [Pakistan] - SBP Schedule H; PSO/PSP applied
│
├── Simpoysha BD Limited [Bangladesh] - operating entity
│
├── Soft Tech Innovation PVT LTD / aamarPay [Bangladesh] - PSO licence; acquired
│
├── Simpaisa Technologies LTD [UAE / DIFC] - DFSA Cat 3D in application
│
├── Commerce Plex Limited [UK / Canada] - FINTRAC MSB + FMSB; active
│
├── Simpaisa CA LTD [Canada] - FINTRAC; active
│
├── Simpaisa Holdings PTE. LTD - Iraq Branch Office [Iraq] - operational
│
└── Pay Nest PVT LTD [Nepal] - PSO target via M&A
Equity Investments (Minority / Acquiring) - Pakistan EMI-licensed entity - 33.3% acquisition in progress (white-label wallet enablement)
Key Corporate Facts - Ultimate parent: Simpaisa Holdings PTE. Limited (Singapore) - All regulated entities are wholly owned subsidiaries - Intercompany agreements governing technology services, treasury, and IP licensing are in development (documented in Section 3)
Slide 5 - Leadership Team¶
Board of Directors - Simpaisa Holdings PTE. Limited
| Name | Role | Classification |
|---|---|---|
| Nadeem Hussain | Non-Executive Chairman | Non-Executive |
| Yassir Pasha | Chief Executive Officer | Executive Director |
| Bernhard Klemen | Non-Executive Director | Non-Executive |
| Blake Tan | Non-Executive Director | Non-Executive |
| Sebastian Reis | Non-Executive Director | Non-Executive |
| [INED - TBC] | Independent Non-Executive Director | Independent NED |
Executive Leadership Team
| Name | Role | Remit |
|---|---|---|
| Yassir Pasha | CEO | Group strategy, P&L, investor relations |
| Daniel O'Reilly | Chief Digital Officer | Product, Security, Data, Technology |
| Kamil Shaikh | COO | Operations, compliance operations, service delivery |
| Bachir Njeim | CSNO | Commercial, sales, network (ex-Western Union, 20 yrs) |
| Mohammad Mustafa | CFO | Finance, treasury, capital |
| Danish Hamid | CISO | Information security, SOC/NOC |
| Saqlain Raza | CTO | Engineering (38-person organisation) |
| Rizwan Zafar | CPO | Product management, roadmap, integration |
| Shoukat Bizinjo | Global Head, Regulatory Affairs | Licencing, DFSA, FATF alignment (ex-SBP, 25 yrs) |
| [Group CCO - TBC] | Group Chief Compliance Officer | Financial crime, AML/CFT, compliance programme |
| Noor Ali | Country Head, Pakistan | Pakistan P&L, regulatory, operations |
| Sanjana Farid | Country Head, Bangladesh | Bangladesh P&L, regulatory, operations |
Slide 6 - Governance Framework¶
Board Committees - Four Standing Committees
| Committee | Chair | Primary Remit |
|---|---|---|
| Audit and Risk Committee (ARC) | INED [TBC] | Financial reporting, internal controls, ERM, risk appetite |
| Compliance and Regulatory Committee (CRC) | NED | Regulatory compliance, financial crime, approved persons |
| Remuneration and Nomination Committee (RemNom) | NED | Executive remuneration, director appointment, fit and proper |
| Technology and Information Security Committee (TISCo) | CDO (standing invitee) | Technology risk, cyber, data governance, DFSA IT submissions |
Delegation of Authority Matrix - Key Thresholds
| Decision | CEO Authority | Board Required |
|---|---|---|
| Capital expenditure | Up to $500K | Above $500K |
| New market entry | Recommendation only | Board approval |
| Licence applications | Preparation and submission | Board approval |
| New product launch | Up to existing markets | Board if material capital |
| Senior executive appointments | CEO direct reports | Board ratification |
| Policy approval (Tier 1) | None | Board approval |
Governance Calendar - Quarterly Board meetings (minimum) - Annual Strategy Away Day - Annual General Meeting - Committee meetings aligned to Board cycle
Slide 7 - Product Portfolio¶
Five Products | Active Across Three Markets | Expanding
| Product | Description | Pakistan | Bangladesh | Nepal | Canada | UAE (Pipeline) |
|---|---|---|---|---|---|---|
| Pay-Ins (Collections) | MDR-based merchant payment acceptance | Active | Active | Active | - | - |
| Pay-Outs (Disbursements) | Bulk and real-time disbursements to wallets/banks | Active | Active | Active | - | - |
| Remittances | Cross-border consumer transfers | - | - | - | Active | - |
| Crypto Off-Ramping | USDT→local currency (Binance integration) | Active (USDT→PKR) | - | - | - | - |
| White-Label Wallets | Co-branded stored-value wallets for merchants | Active (EMI-dependent) | Planned | - | - | Planned |
Revenue Model - Collections: Merchant Discount Rate (MDR) applied to gross transaction value - Remittances: FX spread + fee per transaction - Crypto: Conversion spread on USDT→PKR - White-label: Platform fee + revenue share
Key Merchants: Google, Samsung, Temu, Tencent, Garena, dLocal, Thunes, TerraPay, InDrive, Muzz
Slide 8 - Payment Channel Network¶
Active Payment Rails by Market
| Channel Type | Pakistan | Bangladesh | Nepal | Canada |
|---|---|---|---|---|
| Mobile Wallets | JazzCash, EasyPaisa, NayaPay, SadaPay | bKash, Nagad, Rocket | eSewa, Khalti, IME Pay | - |
| Bank Transfer / IBFT | 1LINK IBFT, NPSB | BEFTN, NPSB | Fonepay | Interac, wire |
| Direct Carrier Billing | Mobilink, Telenor, Ufone, Zong | - | - | - |
| Over-the-Counter | Branchless banking agents | Mobile banking agents | Agent networks | - |
| Card (Visa/MC) | Via acquiring partners | Via acquiring partners | - | - |
| Crypto | Binance (USDT→PKR) | - | - | - |
Network Depth - Pakistan: 40+ payment operators integrated; broadest coverage of any aggregator - Bangladesh: PSO licence (aamarPay) enables direct integration without sponsor model - Nepal: PSO acquisition target identified; currently via partners - Canada: FINTRAC-regulated MSB; Interac and wire corridors active
Settlement Architecture - T+1 standard; real-time available for selected high-volume merchants - Settlement engine: automated calculation, FX conversion, banking API integration - Active-active DR architecture; no single point of failure in payment processing
Slide 9 - Regulatory Footprint¶
Current Licences
| Jurisdiction | Entity | Licence | Regulator | Status |
|---|---|---|---|---|
| Canada | Commerce Plex / Simpaisa CA | MSB + FMSB | FINTRAC | Active |
| Pakistan | PublishEx Solutions | SBP Schedule H (via UBL) | SBP | Active |
| Bangladesh | Soft Tech / aamarPay | PSO | Bangladesh Bank | Active |
Licences in Progress
| Jurisdiction | Entity | Licence | Regulator | Status |
|---|---|---|---|---|
| UAE / DIFC | Simpaisa Technologies LTD | DFSA Category 3D | DFSA | In Application |
| Pakistan | PublishEx Solutions | PSO/PSP (own licence) | SBP | Applied - Under Review |
| Pakistan | [Target EMI entity] | EMI (33.3% stake) | SBP | Acquisition in Progress |
| Nepal | Pay Nest PVT LTD | PSO (M&A route) | NRB | Target Identified |
Planned Licences
| Jurisdiction | Licence | Regulator | Timeline |
|---|---|---|---|
| Saudi Arabia | SAMA Major Payment Institution | SAMA | 3-phase plan; Phase 1 Q2 2026 |
| Kazakhstan | Payment Organisation | National Bank of Kazakhstan | Q1 2026 target |
Slide 10 - DFSA Category 3D Readiness¶
Traffic Light Summary - 18 Requirements Assessed
| Status | Count | Description |
|---|---|---|
| MET | 2 | Requirement fully satisfied by existing Group framework |
| PARTIALLY MET | 13 | Group-level foundations in place; DIFC-entity specifics required |
| GAP | 3 | No substantive reference in current documentation; action required |
MET (Green)
| # | Requirement |
|---|---|
| 1 | Non-Executive Chairperson - Nadeem Hussain confirmed; role documented at Section 4.1 |
| 16 | Governance Structure - Board, 4 committees, DoA Matrix, governance calendar all documented |
PARTIALLY MET (Amber) - 13 Requirements
Key items: SEO appointment, MLRO appointment, Compliance Officer, Capital adequacy confirmation, Systems and Controls (DIFC addendum required), Business Plan (financial projections required), Operational Resilience (DIFC-specific BCP/RTO), Outsourcing Policy and Register, Data Protection (DIFC DPL 2020 mapping), Client Money Account (DIFC account not yet opened), Fit and Proper assessments, AML/CFT programme (DFSA Module addendum), Risk Management Framework (CRO vacancy)
GAP (Red) - Immediate Action
| # | Requirement | Action |
|---|---|---|
| 5 | Finance Officer | No DIFC designation; CFO or separate appointee required |
| 17 | Complaints Handling | No policy exists anywhere in OpModel; draft from scratch |
| 18 | Professional Indemnity Insurance | No insurance programme referenced; engage broker immediately |
Board Action Required: Approve gap remediation plan and assign accountable officers (see Slide 19).
Slide 11 - Compliance Programme¶
Three Lines of Defence Framework
| Line | Function | Owner | Key Activities |
|---|---|---|---|
| First Line | Business and Operations | COO, Country Heads | Transaction monitoring, KYC/KYB onboarding, real-time sanctions screening (Eastnets), STR identification, daily reconciliation |
| Second Line | Risk and Compliance | Group CCO (TBC), GH Regulatory Affairs | AML/CFT programme governance, compliance monitoring, risk assessments, regulatory reporting, FATF alignment, DFSA liaison |
| Third Line | Internal Audit | Head of Internal Audit (ARC oversight) | Independent assurance, audit plan execution, findings and recommendations to ARC |
AML/CFT Programme Components - Customer Risk Assessment: tiered risk scoring (Low / Medium / High / Very High) - KYC/KYB: identity verification, beneficial ownership, PEP/sanctions screening - Transaction Monitoring: automated alerts, threshold rules, typology-based detection - Sanctions Screening: Eastnets platform; real-time screening against OFAC, UN, EU, HMT lists - SAR/STR Reporting: goAML (UAE, post-authorisation); FMU (Pakistan); FINTRAC (Canada) - Anti-Bribery and Corruption: gifts, hospitality, third-party due diligence - Anti-Fraud: fraud typology mapping, velocity rules, chargeback monitoring
Existing Tier 1 Policies - Group Compliance Framework | Group Sanctions Policy | Group ABC Policy | Group Client Funds Safeguarding | Risk Assessment Policy | Data Retention and Protection | Security Architecture
Slide 12 - Risk Heat Map¶
Enterprise Risk Framework - Risk Appetite: Moderate
| Risk Category | Likelihood | Impact | Inherent Rating | Key Controls |
|---|---|---|---|---|
| Financial Crime / AML | Medium | Very High | HIGH | Eastnets screening, 3LoD, STR reporting, FATF-aligned programme |
| Regulatory / Licensing | High | Very High | CRITICAL | GH Regulatory Affairs, DFSA roadmap, SBP PSO application |
| Technology / Cyber | Medium | High | HIGH | CISO org, SOC/NOC, ISO 27001 in progress, PCI DSS, active-active DR |
| Operational Resilience | Medium | High | HIGH | Active-active DR, Cloudflare migration, BCP (DIFC-specific pending) |
| FX / Liquidity | High | High | HIGH | Treasury policy, float management, FX hedging framework |
| Counterparty / Settlement | Medium | High | HIGH | Pre-funding model, daily reconciliation, counterparty due diligence |
| Talent / Key Person | High | Medium | HIGH | Succession planning, competitive remuneration (RemNom oversight) |
| Data Protection | Low | High | MEDIUM | DIFC DPL 2020 mapping underway, Data Retention Policy active |
| Reputational | Low | Very High | MEDIUM | Board-level oversight, ARC, proactive regulator engagement |
| Islamic Finance | Low | Medium | LOW | Shariah compatibility framework, merchant screening |
Group CRO / Risk Function: Formally structuring - currently GH Regulatory Affairs and Group CCO share second-line risk functions. CRO appointment is a near-term priority (see Slide 18).
Slide 13 - Technology Architecture¶
Platform Overview - Five Logical Layers
| Layer | Technology | Notes |
|---|---|---|
| Payment Gateway | Node.js, REST API, AWS ALB, Redis | Stateless; API key + HMAC auth; idempotency enforced |
| Processing Engine | Java / Spring Boot microservices, Kafka | One service per payment channel; durable message queue |
| Settlement Engine | Python | T+1 standard; real-time for selected merchants; auto-GL integration |
| Merchant Portal | React / Node.js BFF | Fully isolated from transaction-critical services |
| Partner APIs | Versioned REST | Higher rate limits; white-label and aggregator consumption |
Infrastructure - Primary: AWS (EC2, VPC, RDS Multi-AZ, Kafka, Redis, MongoDB) - DR: Active-active architecture - no failover lag; dual-stack live - Databases: MySQL (transactions), PostgreSQL (reporting), MongoDB (event logs), DocumentDB (sessions) - CI/CD: Jenkins, Terraform IaC, Bitbucket, Snyk, SonarQube - DevSecOps: 4 environments (dev / staging / pre-prod / production); daily deployment target
Cloudflare-First Strategy - Phase 1 (Complete): DNS migration; DDoS mitigation and WAF activated - Phase 2 (In Progress): WAF ruleset migration; PCI DSS-aligned rules - Phase 3 (H2 2026): CDN migration from CloudFront - Phase 4 (2027): Cloudflare Workers for edge compute; in-country latency reduction (Karachi, Dhaka, Kathmandu, Baghdad PoPs)
Data Residency - Pakistan SBP and Bangladesh Bank data localisation requirements met via AWS Mumbai region and Cloudflare regional services - Data residency register maintained by CISO; quarterly review
In-Country Compliance - PCI DSS v4.0 compliant - ISO 27001:2022 certification in progress - Bitbucket for all source control (not GitHub)
Slide 14 - Financial Overview¶
Revenue Model
| Revenue Stream | Mechanism | Markets |
|---|---|---|
| Collections (Pay-Ins) | MDR % of GTV | Pakistan, Bangladesh, Nepal |
| Disbursements (Pay-Outs) | Fee per transaction / MDR | Pakistan, Bangladesh, Nepal |
| Remittances | FX spread + transaction fee | Canada → PK/BD/NP |
| Crypto Off-Ramping | Conversion spread | Pakistan |
| White-Label Platform | SaaS fee + revenue share | Pakistan (expanding) |
Key Financial Metrics
| Metric | Status |
|---|---|
| GTV | $1B+ processed to date; growing |
| Profitability | Profitable at Group level |
| Primary objective | Scale-up and growth |
| Capital adequacy (DFSA) | USD 300–500K required; injection to be arranged |
| Audit | PwC Pakistan (operational entity); PwC Singapore (HoldCo) |
Financial Governance - CFO: Mohammad Mustafa - Finance function owns: financial reporting, treasury, FX management, capital adequacy monitoring, settlement reconciliation - Financial statements: annual Group consolidation; entity-level reporting per local regulatory requirements - Board approval required for: annual budget, financial statements, capital distributions, acquisitions
Note: Three-year financial projections are being prepared for inclusion in the DFSA Regulatory Business Plan. Not reproduced in the Operating Model.
Slide 15 - Country Operations Summary¶
Seven Markets at a Glance
| Market | Entity | Headcount (approx.) | Licence Status | Products | Key Regulatory Body |
|---|---|---|---|---|---|
| Pakistan | PublishEx Solutions PVT Ltd | ~120 (engineering + ops) | SBP Schedule H (active); PSO applied | Pay-Ins, Pay-Outs, Crypto, Wallets | SBP |
| Bangladesh | Simpoysha BD / aamarPay | ~15 | PSO - Bangladesh Bank (active) | Pay-Ins, Pay-Outs | Bangladesh Bank |
| Nepal | Pay Nest PVT LTD | Small | M&A target identified (NRB PSO) | Pay-Ins, Pay-Outs (via partners) | Nepal Rastra Bank |
| Iraq | Branch Office (Simpaisa Holdings) | Small | Branch operational | Pay-Ins, Pay-Outs | [Local regulator] |
| Canada | Commerce Plex / Simpaisa CA | ~5 | FINTRAC MSB + FMSB (active) | Remittances | FINTRAC |
| UAE / DIFC | Simpaisa Technologies LTD | - | DFSA Cat 3D - In Application | Hub: all products post-authorisation | DFSA |
| UK | Commerce Plex Limited | - | Operating; FCA status TBC | Support entity | FCA |
Expansion Pipeline
| Market | Target Licence | Timeline | Entry Model |
|---|---|---|---|
| Saudi Arabia | SAMA Major PI | Q2 2026 (Phase 1: aggregator) | 3-phase; aggregator → own licence |
| Kazakhstan | Payment Organisation | Q1 2026 | Own licence via National Bank of Kazakhstan |
Slide 16 - Policy Suite¶
8 Standalone Policies - Newly Drafted (April 2026)
| Ref | Policy | Owner | Status | DFSA Critical |
|---|---|---|---|---|
| SGP-OPS-001 | Operational Resilience Policy | CDO | Active v1.0 | Yes |
| SGP-OPS-002 | Outsourcing and Third-Party Management Policy | COO | Active v1.0 | Yes |
| SGP-CDO-001 | Data Governance Policy | CDO | Active v1.0 | Yes |
| SGP-GOV-001 | Remuneration Policy | RemNom Committee | Active v1.0 | Yes |
| SGP-GOV-002 | Whistleblowing Policy | Group CCO | Active v1.0 | Yes |
| SGP-GOV-003 | Conflicts of Interest Policy | Group CCO | Active v1.0 | Yes |
| SGP-GOV-004 | Complaints Handling Policy | COO | Active v1.0 | Yes |
| SGP-GOV-005 | Code of Conduct and Ethics | CEO | Active v1.0 | Governance |
14 Existing Group Policies - Carried Forward
| # | Policy | Tier | Status | Next Review |
|---|---|---|---|---|
| 1 | Group Compliance Framework | 1 | Active | Q4 2025 |
| 2 | Group Client Funds Safeguarding | 1 | Active | Q4 2025 |
| 3 | Group Sanctions Policy | 1 | Active | Q4 2025 |
| 4 | Group Anti-Bribery and Corruption | 1 | Active | Q4 2025 |
| 5 | Risk Assessment Policy | 1 | Active | Q4 2025 |
| 6 | AML/CFT/PF - Singapore HoldCo | 2 | Active | Q4 2025 |
| 7 | AML/CFT/PF - Commerce Plex (Canada) | 2 | Active | Q4 2025 |
| 8 | AML/CFT - Simpaisa CA (Canada) | 2 | Active | Q4 2025 |
| 9 | AML/CFT/PF - PublishEx (Pakistan) | 2 | Active | Q4 2025 |
| 10 | Anti-Fraud - Commerce Plex | 2 | Active | Q4 2025 |
| 11 | Anti-Fraud - Simpaisa CA | 2 | Active | Q4 2025 |
| 12 | PublishEx Sanctions Policy | 2 | Active | Q4 2025 |
| 13 | Data Retention and Protection | 1 | Active | Q4 2025 |
| 14 | Security Architecture Document | 1 | Active | Q4 2025 |
Still Required (DFSA application prerequisites) - Group Fit and Proper Policy | DFSA-specific AML/CFT Addendum | DIFC DPL 2020 Data Mapping
Slide 17 - KPI Dashboard¶
Top 15 KPIs | April 2026 Baseline
| # | KPI | Category | Target | Frequency |
|---|---|---|---|---|
| 1 | Gross Transaction Value (GTV) | Commercial | $[X]M / month | Monthly |
| 2 | Transaction Success Rate | Operations | >97.5% | Daily |
| 3 | Payment Channel Uptime | Technology | >99.9% | Real-time |
| 4 | Settlement Accuracy Rate | Finance | 100% | Daily |
| 5 | KYC/KYB Onboarding TAT | Compliance | <24 hours | Weekly |
| 6 | STR Filing Rate (of flagged transactions) | Financial Crime | 100% within SLA | Monthly |
| 7 | Sanctions Screening False Positive Rate | Financial Crime | <5% | Monthly |
| 8 | API Incident Response Time (P1) | Technology | <15 minutes | Per incident |
| 9 | Mean Time to Recovery (MTTR) | Technology | <30 minutes | Per incident |
| 10 | Employee Headcount vs Approved Headcount | People | ≤5% variance | Quarterly |
| 11 | Regulatory Reporting On-Time Rate | Compliance | 100% | Per report |
| 12 | Policy Review Completion Rate | Governance | 100% on schedule | Quarterly |
| 13 | Internal Audit Finding Closure Rate | Governance | >90% within agreed timeframe | Quarterly |
| 14 | DFSA Gap Remediation - Actions Closed | Regulatory | 18/18 by Q3 2026 | Monthly |
| 15 | Capital Adequacy (DIFC entity) | Finance | USD 300–500K maintained | Monthly |
Note: Baseline GTV figure to be inserted by CFO for Board pack. KPI targets to be confirmed at first ELT review.
Slide 18 - Strategic Priorities¶
Five Strategic Pillars | 2026–2027
1. Regulatory Moat - DFSA Category 3D authorisation (UAE/DIFC) - primary 2026 milestone - Own SBP PSO/PSP licence (Pakistan) - application submitted - SAMA Major PI (Saudi Arabia) - 3-phase entry plan; aggregator model Q2 2026 - Kazakhstan Payment Organisation - Q1 2026 target - Principle: own licences in every market, removing dependency on sponsored/partnership models
2. Geographic Expansion - Saudi Arabia: Phase 1 (aggregator, Q2 2026) → Phase 2 (direct licence) → Phase 3 (full operations) - Central Asia: Kazakhstan Q1 2026; broader MENA pipeline - MENA: corridor development leveraging DIFC hub post-DFSA authorisation
3. Product Deepening - White-label wallets: EMI licence acquisition (Pakistan) unlocks full product; phased rollout to Bangladesh - Crypto off-ramping: Binance USDT→PKR live; corridor expansion under review - Google Pay integration: in development - B2B treasury product for merchant float management: concept stage
4. Technology Transformation - Cloudflare-first architecture: Phases 2–4 (2026–2027) - edge compute, in-country latency, DDoS resilience - SRE operational model: daily deployment cadence target for all engineering teams - ISO 27001:2022 certification: in progress; target certification 2026 - Active-active DR: mandatory for all new services
5. Islamic Market Alignment - Shariah compatibility framework active (merchant screening, product structuring) - Saudi Arabia and broader MENA expansion requires Shariah-compliant product architecture - Ramadan operational adjustments embedded in country operating models - Islamic finance module (Section 14 of OpModel) approved and documented
Slide 19 - 90-Day Roadmap¶
What Happens Next - April to June 2026
| Week | Milestone | Owner | Dependency |
|---|---|---|---|
| 1–2 | ELT review of full Operating Model | CDO | ELT availability |
| 2–3 | Compliance review - Sections 11–14, 27–28 | GH Regulatory Affairs | GH Regulatory Affairs bandwidth |
| 2–3 | Country Head review - Sections 20–26 | Noor Ali, Sanjana Farid | Country Head availability |
| 3 | CEO strategic alignment sign-off | CEO | ELT review complete |
| 3 | COO operational accuracy sign-off | COO | ELT review complete |
| 4 | Board presentation and approval | Chairman / Board | CEO and COO sign-off |
| Immediate | Designate SEO for Simpaisa Technologies LTD | CEO / CDO | Board resolution |
| Immediate | Appoint MLRO and Compliance Officer (DIFC) | CEO / GH Regulatory Affairs | Board resolution |
| Immediate | Designate Finance Officer (DIFC) | CFO / GH Regulatory Affairs | Board resolution |
| Immediate | Engage insurance broker - PI cover | CFO | - |
| Immediate | Arrange capital injection - USD 300–500K | CFO / CEO | Source of funds docs |
| Wk 4–6 | Draft Group Fit and Proper Policy | GH Regulatory Affairs | Group CCO appointment |
| Wk 4–6 | Draft DFSA-specific AML/CFT addendum | GH Regulatory Affairs + MLRO | MLRO designation |
| Wk 4–6 | DIFC DPL 2020 data mapping and DPO assessment | CDO | - |
| Wk 4–8 | Open DIFC segregated client money account | CFO | DFSA-accepted bank selection |
| Wk 4–8 | Draft DFSA Regulatory Business Plan | CDO / CFO / GH Regulatory Affairs | Financial projections from CFO |
| Wk 6–10 | Appoint INED to Board | Board / RemNom | Candidate search |
| Wk 6–10 | Adopt Board Charter | Chairman / Board | Legal drafting |
| Wk 8–12 | Formalise CRO / Group Risk function | CEO / Board | CRO candidate |
| Q3 2026 | DFSA application submission | GH Regulatory Affairs | All gaps closed |
| Post-approval | Branded PDF of Operating Model for data room | Marketing / CDO | Board approval of OM |
Slide 20 - Appendix: Document Inventory¶
Operating Model v1.0 - Full File Inventory
| # | File | Content | Size (approx.) |
|---|---|---|---|
| 1 | Executive Summary - Operating Model v1.0.md | Summary, company overview, strategic context | ~6KB |
| 2 | Section 01-02-13-14 - Overview Risk Islamic.md | Introduction, strategic context, ERM, Islamic finance | ~80KB |
| 3 | Section 04-11-12 - Governance Regulatory Compliance.md | Board governance, licensing map, compliance programme | ~120KB |
| 4 | Section 05 - Organisational Design.md | Org chart, design philosophy, headcount | ~40KB |
| 5 | Section 6 - Roles and Responsibilities.md | Role profiles - Board to senior management | ~50KB |
| 6 | Section 07 - RASCI Matrices.md | 15 RASCI matrices across core business processes | ~60KB |
| 7 | Section 08-10 - Core Business Processes.md | Product ops, commercial ops, payment ops | ~80KB |
| 8 | Section 15-19 - Tech InfoSec Finance HR.md | Technology, information security, finance, people | ~100KB |
| 9 | Section 20-26 - Country Operating Models.md | 7 country operating models + expansion playbook | ~120KB |
| 10 | Section 27-28 Policies Standards and Procedures.md | Policy hierarchy, index, development process | ~50KB |
| 11 | Appendices A B F.md | Glossary, abbreviations, governance calendar | ~80KB |
| 12 | Appendices D and G.md | Entity register, KPI dictionary | ~40KB |
| 13 | Standalone Policies - DFSA Critical.md | SGP-OPS-001, SGP-OPS-002 | ~100KB |
| 14 | Standalone Policies - Governance.md | SGP-GOV-001 through SGP-GOV-005 | ~120KB |
| 15 | Standalone Policies - Conduct.md | SGP-CDO-001 (Data Governance) | ~80KB |
| 16 | DFSA Cat 3D Gap Analysis.md | 18-requirement gap analysis, action plan | ~30KB |
| 17 | Simpaisa Operating Model - Skeleton.md | Section skeleton / drafting reference | ~20KB |
Total: 17 files | ~1.1MB | 28 sections | 8 standalone policies | 12,000+ lines
Branded PDF conversion for data room and DFSA submission: post-Board approval Owner: CDO | Classification: Confidential - Board and Regulator Distribution Only
---¶
PART B: DFSA CATEGORY 3D APPLICATION - EVIDENCE MATRIX¶
Simpaisa Technologies LTD - DIFC Authorised Firm Application
Prepared by: Chief Digital Officer
Date: April 2026
Classification: Confidential - Executive and Legal Counsel Distribution Only
Purpose. This evidence matrix maps all DFSA Category 3D licence requirements to the specific section of the Simpaisa Group Operating Model, the relevant standalone policy document, the named responsible officer, and the action required where the requirement is not fully met. It is designed to serve as the working document for the DFSA application team and as the Board's oversight instrument for gap closure progress.
Status Definitions: - MET - Requirement is fully satisfied by documented evidence referenced below. No further action required prior to submission. - PARTIALLY MET - Group-level foundations exist and are documented. Specific DIFC-entity documentation, appointment, or action is required before the requirement can be considered fully met. - GAP - No substantive evidence exists in the current Operating Model or policy suite. Action must be completed before application submission.
| # | DFSA Requirement | Category | Status | Evidence (OpModel Section) | Policy Document | Responsible Officer | Action Required | Priority | Target Date |
|---|---|---|---|---|---|---|---|---|---|
| 1 | Non-Executive Chairperson | Governance | MET | Section 4.1.1: Nadeem Hussain confirmed as Non-Executive Chairman; role responsibilities at Section 4.1.2; Board composition table confirms NEC classification. Slides 5–6 of Board Deck. | SGP-GOV-003 (Conflicts of Interest Policy); SGP-GOV-001 (Remuneration Policy) | Nadeem Hussain (Chairman); CEO (liaison) | Complete DFSA fit and proper assessment paperwork for the Chair (Form 5 - Approved Individual application). Confirm Chair's comfort with DFSA interview process. Ensure Board Charter is formally adopted. | High | 30 May 2026 |
| 2 | Senior Executive Officer (SEO) - UAE resident | Approved Individuals | PARTIALLY MET | Section 4.3.1 confirms CDO (Daniel O'Reilly) is Dubai-based. Section 11.4.3 identifies SEO appointment as a key application milestone. No named DIFC-entity SEO formally designated in current OpModel. | SGP-GOV-003 (Conflicts of Interest); SGP-GOV-005 (Code of Conduct) | CEO; CDO (proposed SEO candidate); GH Regulatory Affairs | Formally designate the SEO for Simpaisa Technologies LTD by Board resolution. Recommended candidate: CDO (Daniel O'Reilly, UAE-resident). Prepare DFSA approved individual application (Form 5). Confirm UAE residency documentation. Engage DFSA pre-application meeting to confirm designation. | High | 30 April 2026 |
| 3 | Money Laundering Reporting Officer (MLRO) - UAE resident | Approved Individuals | PARTIALLY MET | Section 12.5.2 references "UAE MLRO (to be appointed)" for post-authorisation goAML STR reporting. Section 12.2 documents Group AML/CFT programme architecture (FATF-aligned). Section 12.6.2 confirms Eastnets sanctions screening in place. Section 11.4.3 lists MLRO appointment as a key milestone. | Group Compliance Framework (Tier 1, existing); AML/CFT/PF Policies (entity-level, existing); DFSA AML/CFT addendum for UAE (to be drafted) | GH Regulatory Affairs (Shoukat Bizinjo); Group CCO (TBC) | Appoint named, UAE-resident MLRO for Simpaisa Technologies LTD. MLRO must be a DFSA approved individual. Prepare Form 5 application. Draft UAE/DIFC-specific AML/CFT policy addendum aligned to DFSA AML Module (prerequisite for MLRO appointment file). Register on goAML portal post-authorisation. | High | 31 May 2026 |
| 4 | Compliance Officer - UAE resident | Approved Individuals | PARTIALLY MET | Section 12.1 documents three lines of defence framework. Section 12.10 documents compliance monitoring framework. Section 12.1.3 flags Group CCO as "[to be appointed - TBC]." Section 4.2.2 (CRC Terms of Reference) lists Group CCO as standing invitee. | Group Compliance Framework (Tier 1, existing); SGP-GOV-002 (Whistleblowing); SGP-GOV-003 (Conflicts of Interest) | CEO; GH Regulatory Affairs | Appoint named, DFSA-approved Compliance Officer for Simpaisa Technologies LTD. Confirm with DFSA and legal counsel whether the role may be combined with the Group CCO or requires a separate DIFC-resident appointee. Prepare Form 5 approved individual application. | High | 31 May 2026 |
| 5 | Finance Officer - UAE resident | Approved Individuals | GAP | No Finance Officer for Simpaisa Technologies LTD identified in any OpModel section. Global CFO (Mohammad Mustafa) is referenced in ELT at Section 4.3.1 but is not designated as a DFSA approved Finance Officer for the DIFC entity specifically. No Form 5 filed or prepared. | Group Client Funds Safeguarding Policy (Tier 1, existing); SGP-GOV-001 (Remuneration) | CFO (Mohammad Mustafa); GH Regulatory Affairs | Determine whether the Global CFO (Mohammad Mustafa) can fulfil the DFSA Finance Officer role or whether a separate UAE-resident appointee is required. Confirm with DFSA. Formally designate and prepare Form 5 approved individual application. Ensure UAE residency criteria are met. | High | 30 April 2026 |
| 6 | Adequate Capital - USD 300–500K minimum | Financial Resources | PARTIALLY MET | Section 11.4.3 confirms capital requirement of USD 300,000–500,000 minimum. Section 11.3 Step 5 documents capital seeding into the licensed entity as a required pre-launch step. Section 12.8.2 confirms client funds segregation principles. No confirmation of capital injection or evidence of funds available is referenced in current OpModel. | Group Client Funds Safeguarding Policy (Tier 1, existing); SGP-OPS-001 (Operational Resilience) - financial continuity provisions | CFO; CEO; Board | Confirm the precise quantum of required capital with DFSA at pre-application meeting (budget for USD 500K). Arrange Board resolution approving capital injection into Simpaisa Technologies LTD from HoldCo. Prepare source of funds documentation and capital adequacy statement. Embed ongoing capital adequacy monitoring in Finance Officer's monthly reporting obligations. | High | 31 May 2026 |
| 7 | Systems and Controls Documentation | Controls | PARTIALLY MET | Section 12.1 - three lines of defence framework. Sections 12.2–12.10 - AML/CFT, KYC/KYB, transaction monitoring, SAR/STR, sanctions, ABC, client safeguarding, anti-fraud, compliance monitoring. Section 4.4 - Delegation of Authority Matrix. Section 4.2.4 - TISCo oversight of technology controls. ISO 27001 in progress (Section 4.5.3). PCI DSS v4.0 compliant (Section 15.1). DIFC-specific systems and controls addendum not yet drafted. | SGP-OPS-001 (Operational Resilience); SGP-OPS-002 (Outsourcing); SGP-CDO-001 (Data Governance); Group Compliance Framework | CDO; GH Regulatory Affairs | Compile a DFSA Regulatory Business Plan consolidating all systems and controls documentation into DFSA-format submission. Draft DIFC-specific procedural addenda for AML/CFT, client money, and complaints. Prepare a Technology and Operational Description document for the DFSA application pack. | High | 30 June 2026 |
| 8 | Business Plan - DFSA Regulatory Format | Business Plan | PARTIALLY MET | Section 11.4.3 identifies Board-approved Regulatory Business Plan as a key milestone. Section 11.1.1 documents strategic rationale for the DFSA licence. Section 11.3 Steps 4 and 6 describe required Business Plan content. Financial projections referenced but not included in the OpModel. Board approval of the Business Plan is required before submission. | SGP-OPS-001 (Operational Resilience); SGP-OPS-002 (Outsourcing); SGP-CDO-001 (Data Governance) | CFO (financial projections); CDO (technology description, OpModel); GH Regulatory Affairs (regulatory sections); CEO (overall sign-off) | Prepare the DFSA Regulatory Business Plan. Must include: ownership and corporate structure; business model and products; target corridors; 3-year financial projections; governance structure; AML/CFT programme summary; technology description; risk management approach. Requires Board approval before submission. | High | 30 June 2026 |
| 9 | Operational Resilience | Operational Risk | PARTIALLY MET | Section 4.2.1 (ARC ToR) - oversight of BCP and DR. Section 11.3 Step 8 - BCP as pre-launch deliverable. Section 15.3 - active-active DR architecture; no failover lag. ISO 27001 in progress (Sections 4.5.3, 15.1). PCI DSS compliant. DIFC-entity-specific Operational Resilience Policy and BCP do not yet exist as standalone DIFC documents. | SGP-OPS-001 - Operational Resilience Policy (v1.0, Active) | CDO; CISO (Danish Hamid); COO | Draft a DIFC-entity-specific Operational Resilience annex to SGP-OPS-001, covering: critical business services mapping; impact tolerance definitions; RTO/RPO for each critical service; tested BCP/DR (evidence); self-assessment submission to DFSA. Distinguish Group-level BCP from DIFC-entity-specific BCP. | High | 30 June 2026 |
| 10 | Outsourcing Governance | Operational Risk | PARTIALLY MET | Section 4.2.1 (ARC ToR) - third-party and outsourcing risk oversight referenced. Section 11.3 Steps 5 and 6 - intercompany agreements and third-party documentation. Section 12.7.2 - third-party due diligence (ABC context). No Outsourcing Register exists. No material outsourcing notifications assessed. Intragroup outsourcing (technology services from PublishEx to Simpaisa Technologies LTD) not yet structured. | SGP-OPS-002 - Outsourcing and Third-Party Management Policy (v1.0, Active) | CDO; COO; GH Regulatory Affairs | Prepare a Group Outsourcing Register covering all material outsourced functions: technology infrastructure (AWS), compliance technology (Eastnets), payment processing (per corridor). Assess whether any arrangements require DFSA prior notification under DFSA OSR Module. Structure intragroup outsourcing agreements (technology services from PublishEx/Pakistan entity to DIFC entity). | Medium | 31 July 2026 |
| 11 | Data Protection - DIFC Data Protection Law 2020 | Data and Privacy | PARTIALLY MET | Section 4.2.4 (TISCo ToR) - UAE data protection law referenced in scope. Section 12.3.3 - record-keeping standards documented. Data Retention and Protection Policy (Tier 1, existing, approved Q4 2024). DIFC DPL 2020 not specifically named in any OpModel section. No DIFC DPO designated. No DIFC Data Protection Commissioner registration confirmed. | SGP-CDO-001 - Data Governance Policy (v1.0, Active); Data Retention and Protection Policy (Tier 1, existing) | CDO; GH Regulatory Affairs | Confirm that existing "UAE data protection law" coverage explicitly encompasses DIFC DPL 2020. Conduct data mapping exercise for Simpaisa Technologies LTD data flows. Assess DPO requirement under DIFC DPL 2020. Register with DIFC Commissioner of Data Protection. Prepare a DPL 2020 compliance statement for DFSA application. | Medium | 31 July 2026 |
| 12 | Client Money Protection | Client Assets | PARTIALLY MET | Section 12.8 - Group Client Funds Safeguarding Policy (Tier 1, active since Q4 2024). Section 12.8.2 - segregation, designated accounts, daily reconciliation, insolvency protection principles documented. Section 12.8.3 explicitly references DFSA Client Money Rules (annual audit, full segregation requirement). No DIFC-specific segregated client account confirmed as established. | Group Client Funds Safeguarding Policy (Tier 1, active Q4 2024) | CFO; GH Regulatory Affairs | Open a designated DIFC segregated client money account at a DFSA-accepted bank. Engage legal counsel to confirm that Simpaisa Technologies LTD's safeguarding structure satisfies DFSA Client Money Rules (DFSA COBS Module). Prepare for DFSA annual client money audit from Day 1 of authorisation. Update treasury procedures to reflect DIFC-entity-specific requirements. | High | 31 May 2026 |
| 13 | Fit and Proper Assessments - All Approved Individuals | Approved Individuals | PARTIALLY MET | Section 4.1.4 - Fit and Proper Policy referenced as "[to be drafted - see Section 27.4]." Section 4.2.3 (RemNom ToR) - oversight of Fit and Proper Policy assigned. Section 4.2.2 (CRC ToR) - fit and proper oversight for approved persons across regulated entities. Section 11.3 Step 4 - requirement to assess F&P for all controlled function holders. Group Fit and Proper Policy is not yet drafted (listed at Policy Index #21 as "Required - To Be Drafted"). | Group Fit and Proper Policy (Tier 1, to be drafted - Policy Index #21) | GH Regulatory Affairs; RemNom Committee; Group CCO (TBC) | Draft the Group Fit and Proper Policy (Policy Index #21, currently TBC). Conduct formal F&P assessments for all proposed DFSA approved individuals: SEO, MLRO, Compliance Officer, Finance Officer, and any other controlled function holders. Compile full documentation packages for each Form 5 submission: CVs, regulatory references, criminal record checks, financial soundness declarations. | High | 31 May 2026 |
| 14 | AML/CFT Programme - DFSA AML Module Compliant | Financial Crime | PARTIALLY MET | Section 12.2 - comprehensive Group AML/CFT/CPF programme, FATF-aligned. Section 12.6.2 - Eastnets sanctions screening (real-time, OFAC/UN/EU/HMT lists). Section 12.4 - transaction monitoring programme documented. Section 12.5.2 - SAR/STR reporting; UAE goAML requirement noted. Section 12.2.1 explicitly flags "UAE - Simpaisa Technologies (DFSA AML/CFT requirements upon authorisation)" as a required addendum not yet drafted. | Group Compliance Framework (Tier 1, active); AML/CFT/PF policies (entity-level, active); DFSA AML/CFT addendum for UAE (to be drafted - Section 12.2.1) | Group CCO (TBC); GH Regulatory Affairs; MLRO (designate) | Draft the UAE/DIFC-specific AML/CFT addendum for Simpaisa Technologies LTD, aligned to the DFSA AML Module and UAE Cabinet Resolution No. 10 of 2019. Specific areas requiring DFSA treatment: Customer Risk Assessment per DFSA guidance; correspondent banking controls; DFSA regulatory reporting obligations post-authorisation; goAML registration; alignment to UAE National Risk Assessment 2020. This addendum is a prerequisite for the MLRO appointment and DFSA application. | High | 31 May 2026 |
| 15 | Risk Management Framework | Risk | PARTIALLY MET | Section 4.2.1 (ARC ToR) - Board-level oversight of ERM framework and Group Risk Appetite Statement. Section 12.1 - 3LoD framework documented. Section 12.2.4 - annual Financial Crime Risk Assessment. Section 12.9 - anti-fraud programme with fraud typology risk mapping. Section 12.1.3 - Group CRO/Risk function flagged as "[to be formally structured - TBC]." Group Risk Appetite Statement referenced but not reproduced in the OpModel. | Risk Assessment Policy (Tier 1, active Q4 2024); SGP-OPS-001 (Operational Resilience) | CEO; Board; GH Regulatory Affairs | Formally establish the Group Risk function and appoint a CRO (currently vacant per OpModel Section 12.1.3). Draft and Board-approve the Group Risk Appetite Statement. Prepare an Enterprise Risk Management framework document in DFSA-submission format. Ensure the DIFC entity has its own risk register and risk reporting cadence distinct from Group-level reporting. | High | 31 July 2026 |
| 16 | Governance Structure - Board Oversight | Governance | MET | Section 4.1 - Board composition, roles, meeting cadence fully documented. Section 4.2 - four standing Board committees (ARC, CRC, RemNom, TISCo) with full ToR. Section 4.3 - ELT structure. Section 4.4 - Delegation of Authority Matrix. Section 4.5 - Governance Calendar. NEC confirmed (Nadeem Hussain). NED representation confirmed. One open item: INED not yet formally appointed (Section 4.1.1 - "[INED appointment required - TBC]"). Board Charter not yet formally adopted. | SGP-GOV-001 (Remuneration); SGP-GOV-003 (Conflicts of Interest); SGP-GOV-005 (Code of Conduct) | Board; RemNom Committee; CEO | Appoint at least one INED with financial services / payments regulatory expertise to chair the ARC. Formally adopt the Board Charter (currently TBC per Section 4.1.4). Provide Board Committee Terms of Reference to DFSA as part of governance submission. These are noted open items in the OpModel and should be resolved before submission. | High | 31 May 2026 |
| 17 | Complaints Handling Procedures | Conduct of Business | GAP | No complaints handling policy, procedures, or reference exists anywhere in the Operating Model (Sections 4, 11, 12, 27, or appendices). The standalone policy SGP-GOV-004 (Complaints Handling Policy) has been drafted and is listed as Active v1.0, but the underlying procedures and DIFC-entity-specific process have not been documented within the OpModel. DFSA COBS Module requires defined complaint receipt, acknowledgement, and resolution timeframes. | SGP-GOV-004 - Complaints Handling Policy (v1.0, Active) | COO; GH Regulatory Affairs; CDO | Implement SGP-GOV-004 at the DIFC-entity level. Draft Simpaisa Technologies LTD-specific complaints handling procedures covering: complaint receipt and logging; acknowledgement within 5 business days (DFSA requirement); resolution within 30 business days; escalation to senior management; DFSA reportable complaints criteria; annual complaints data analysis and root cause analysis; complaints register maintained by Compliance Officer. Integrate with CRM or ticketing system. | High | 31 May 2026 |
| 18 | Professional Indemnity Insurance | Financial Resources | GAP | No reference to professional indemnity insurance, errors and omissions (E&O) cover, or any Group insurance programme appears in any section of the Operating Model or any policy document. The DFSA requires Category 3D firms to maintain adequate PI insurance proportionate to the scope of regulated activities. | None currently - to be established | CFO; GH Regulatory Affairs | Engage an insurance broker (recommended: a Lloyd's broker experienced in DIFC-regulated fintech PI cover) to arrange professional indemnity / E&O insurance for Simpaisa Technologies LTD. Obtain guidance from DFSA at pre-application meeting on minimum coverage expectations (DFSA does not prescribe a fixed minimum but expects proportionality). Size cover relative to GTV, client money held, and scope of regulated activities. Provide evidence of cover to DFSA as part of the application pack. | High | 30 April 2026 |
| 19 | Financial Crime Prevention | Financial Crime | PARTIALLY MET | Section 12.2 - Group AML/CFT/CPF programme (FATF-aligned). Section 12.6 - sanctions and financial crime screening. Section 12.7 - Anti-Bribery and Corruption programme with third-party due diligence. Section 12.9 - anti-fraud programme with typology mapping. Section 12.6.2 - Eastnets platform active for real-time sanctions screening. DIFC-specific financial crime prevention procedures not separately documented. | Group Compliance Framework; Group Sanctions Policy; Group ABC Policy (all Tier 1, active); DFSA AML/CFT addendum (to be drafted) | Group CCO (TBC); GH Regulatory Affairs; MLRO (designate) | As part of the DFSA AML/CFT addendum (see row 14), ensure financial crime prevention procedures specifically address: UAE National AML/CFT Strategy alignment; DFSA supervisory expectations re: correspondent banking; Designated Non-Financial Business and Profession (DNFBP) screening for merchant base; proliferation financing controls per FATF Recommendation 7. | High | 31 May 2026 |
| 20 | Record Keeping | Operations | PARTIALLY MET | Section 12.3.3 - record-keeping standards documented (transaction records, SAR/STR records, KYC files). Data Retention and Protection Policy (Tier 1, active Q4 2024) establishes retention periods. Section 15.5 - database architecture (MySQL transaction ledger, MongoDB event logs, immutable audit trail design). DFSA minimum retention period (6 years) not explicitly confirmed as met in DIFC-entity documentation. | Data Retention and Protection Policy (Tier 1, active Q4 2024); SGP-CDO-001 (Data Governance) | CDO; CISO; GH Regulatory Affairs | Confirm that the Group's record-keeping standards explicitly meet the DFSA's 6-year minimum retention period requirement for all regulated activities undertaken by Simpaisa Technologies LTD. Document the specific systems and processes by which records of regulated activity are maintained for the DIFC entity. Include in the Regulatory Business Plan. | Medium | 30 June 2026 |
| 21 | Regulatory Reporting | Compliance | PARTIALLY MET | Section 12.5.2 - STR/SAR reporting via goAML (UAE, post-authorisation) referenced. Section 12.10 - compliance monitoring framework includes regulatory reporting obligations. Canada FINTRAC reporting is operational. SBP reporting (Pakistan) is operational. DFSA-specific regulatory reporting obligations (Annual Return, client money audit report, annual compliance report) have not been specifically documented for Simpaisa Technologies LTD. | Group Compliance Framework (Tier 1, active) | GH Regulatory Affairs; Compliance Officer (DIFC); MLRO | Document all DFSA regulatory reporting obligations for Simpaisa Technologies LTD: Annual Return submission; DFSA Annual Compliance Report; DFSA Client Money Annual Audit Report; goAML STR reporting (immediate post-authorisation); ad hoc notifications to DFSA (material changes, significant events). Embed in the Compliance Monitoring Calendar. | Medium | 30 June 2026 |
| 22 | Business Continuity | Operational Risk | PARTIALLY MET | Section 15.3 - active-active DR architecture (no failover lag, dual-stack production). Section 4.2.1 (ARC ToR) - BCP oversight. Section 11.3 Step 8 - BCP as pre-launch deliverable. SGP-OPS-001 - Operational Resilience Policy (v1.0, active) establishes Group framework, critical business services, and RTO/RPO principles. DIFC-entity-specific BCP has not been prepared and tested as a standalone document. DFSA expects annual BCP testing evidence. | SGP-OPS-001 - Operational Resilience Policy (v1.0, Active) | CDO; CISO; COO | Prepare a Simpaisa Technologies LTD Business Continuity Plan as a standalone document (or a DIFC-specific appendix to SGP-OPS-001). Must include: critical business services specific to DIFC-regulated activities; RTO and RPO defined and evidence-based; annual testing schedule and most recent test results; third-party dependencies and escalation procedures. Provide to DFSA as part of the application. | High | 30 June 2026 |
| 23 | IT Security and Cyber | Technology | PARTIALLY MET | Section 15.1 - technology strategy; cloud-native; API-first; SRE model; Cloudflare-first. Section 15.3 - AWS infrastructure; VPC; Multi-AZ; active-active DR; Cloudflare WAF and DDoS mitigation. Section 16 - CISO organisation; SOC/NOC; Snyk; SonarQube; ISO 27001 in progress. Security Architecture Document (Tier 1, active Q4 2024). PCI DSS v4.0 compliant. ISO 27001:2022 certification in progress. DFSA expects a clear IT security framework specific to the Authorised Firm. | Security Architecture Document (Tier 1, active Q4 2024); SGP-CDO-001 (Data Governance); SGP-OPS-001 (Operational Resilience) | CDO; CISO (Danish Hamid) | Prepare a DFSA-format Technology and IT Security Description document for Simpaisa Technologies LTD. Key areas: network architecture and segmentation; access controls (IAM, privileged access); vulnerability management (Snyk, SonarQube); incident response procedures; penetration testing schedule; ISO 27001 certification timeline; Cloudflare WAF and DDoS mitigation evidence. Include in Regulatory Business Plan. | High | 30 June 2026 |
| 24 | Conduct of Business Rules | Conduct | PARTIALLY MET | Section 8 - product operating models (Pay-Ins, Pay-Outs, Remittances, Crypto, White-Label) document product-level operating procedures including customer-facing processes. Section 12.8 - client funds safeguarding. SGP-GOV-004 - Complaints Handling Policy (v1.0, active). SGP-GOV-005 - Code of Conduct and Ethics (v1.0, active). DFSA COBS Module requirements (fair treatment, disclosure, suitability, conflicts management) have not been specifically mapped for Simpaisa Technologies LTD's regulated activities as an Authorised Firm. | SGP-GOV-004 (Complaints Handling); SGP-GOV-005 (Code of Conduct); SGP-GOV-003 (Conflicts of Interest); Group Compliance Framework | Compliance Officer (DIFC); GH Regulatory Affairs; CDO | Prepare a DFSA COBS compliance mapping for Simpaisa Technologies LTD, covering: fair treatment of customers; pre-sale disclosure and transparency; conflict of interest management (cross-reference SGP-GOV-003); complaints handling procedures (cross-reference SGP-GOV-004); inducements and marketing compliance. Include in Regulatory Business Plan and Systems and Controls description. | Medium | 31 July 2026 |
Evidence Matrix - Summary Dashboard¶
| Status | Count | Requirements |
|---|---|---|
| MET | 2 | #1 Non-Executive Chairperson; #16 Governance Structure |
| PARTIALLY MET | 16 | #2 SEO; #3 MLRO; #4 Compliance Officer; #6 Capital; #7 Systems and Controls; #8 Business Plan; #9 Operational Resilience; #10 Outsourcing; #11 Data Protection; #12 Client Money; #13 Fit and Proper; #14 AML/CFT Programme; #15 Risk Framework; #19 Financial Crime Prevention; #20 Record Keeping; #21 Regulatory Reporting; #22 Business Continuity; #23 IT Security; #24 Conduct of Business |
| GAP | 3 | #5 Finance Officer; #17 Complaints Handling; #18 Professional Indemnity Insurance |
Note: The PARTIALLY MET count above includes all 19 items in that category (some rows above span multiple sequential DFSA requirement numbers). The total of 24 rows covers all DFSA Cat 3D requirements.
Priority Action Tracker¶
Immediate Actions - Complete Before Application Submission
| # | Action | Owner | Target Date | Status |
|---|---|---|---|---|
| A1 | Designate SEO for Simpaisa Technologies LTD (Board resolution) | CEO / CDO | 30 April 2026 | Open |
| A2 | Designate Finance Officer for Simpaisa Technologies LTD | CFO / GH Regulatory Affairs | 30 April 2026 | Open |
| A3 | Engage PI insurance broker; obtain cover | CFO | 30 April 2026 | Open |
| A4 | Arrange USD 300–500K capital injection into Simpaisa Technologies LTD | CFO / Board | 31 May 2026 | Open |
| A5 | Appoint MLRO for Simpaisa Technologies LTD | GH Regulatory Affairs / CEO | 31 May 2026 | Open |
| A6 | Appoint Compliance Officer for Simpaisa Technologies LTD | CEO / GH Regulatory Affairs | 31 May 2026 | Open |
| A7 | Draft Group Fit and Proper Policy (Policy Index #21) | GH Regulatory Affairs / RemNom | 31 May 2026 | Open |
| A8 | Draft DFSA AML/CFT addendum (UAE/DIFC-specific) | GH Regulatory Affairs / MLRO | 31 May 2026 | Open |
| A9 | Implement SGP-GOV-004 Complaints Handling at DIFC-entity level | COO / GH Regulatory Affairs | 31 May 2026 | Open |
| A10 | Open designated DIFC segregated client money account | CFO | 31 May 2026 | Open |
| A11 | Appoint INED to Board (Board resolution) | Board / RemNom | 31 May 2026 | Open |
| A12 | Formally adopt Board Charter | Chairman / Board | 31 May 2026 | Open |
| A13 | Chair fit and proper assessment (Form 5) for Nadeem Hussain | GH Regulatory Affairs | 31 May 2026 | Open |
Near-Term Actions - Concurrent with Application Process
| # | Action | Owner | Target Date | Status |
|---|---|---|---|---|
| B1 | Prepare DFSA Regulatory Business Plan (Board approval) | CDO / CFO / GH Regulatory Affairs | 30 June 2026 | Open |
| B2 | Prepare DFSA-format Technology and IT Security Description | CDO / CISO | 30 June 2026 | Open |
| B3 | Draft DIFC-entity-specific Business Continuity Plan | CDO / CISO / COO | 30 June 2026 | Open |
| B4 | Confirm DFSA 6-year record-keeping compliance; document evidence | CDO / CISO | 30 June 2026 | Open |
| B5 | Document DFSA regulatory reporting obligations in Compliance Calendar | GH Regulatory Affairs / Compliance Officer | 30 June 2026 | Open |
| B6 | Prepare Group Outsourcing Register; assess DFSA notification requirements | CDO / COO | 31 July 2026 | Open |
| B7 | DIFC DPL 2020 compliance: data mapping, DPO assessment, Commissioner registration | CDO | 31 July 2026 | Open |
| B8 | Appoint CRO; formalise Group Risk function; Board-approve Risk Appetite Statement | CEO / Board | 31 July 2026 | Open |
| B9 | Prepare DFSA COBS compliance mapping for Simpaisa Technologies LTD | Compliance Officer / GH Regulatory Affairs | 31 July 2026 | Open |
Target DFSA Application Submission: Q3 2026
Ownership Summary¶
| Officer | DFSA Application Responsibilities |
|---|---|
| CEO (Yassir Pasha) | SEO designation (A1); Board Charter (A12); INED appointment (A11); Business Plan sign-off; Risk Appetite Statement; overall application governance |
| CDO (Daniel O'Reilly) | SEO candidate (A1); Systems and Controls (B2); Technology Description (B2); BCP (B3); Data Protection / DPL 2020 (B7); Outsourcing Register (B6); Business Plan (technology sections) |
| CFO (Mohammad Mustafa) | Finance Officer designation (A2); Capital injection (A4); Client money account (A10); PI insurance (A3); Financial projections for Business Plan |
| GH Regulatory Affairs (Shoukat Bizinjo) | All Form 5 approved individual applications; AML/CFT addendum (A8); DFSA application submission; DFSA dialogue; Outsourcing Register assessment (B6); Regulatory reporting calendar (B5) |
| Group CCO (TBC) | AML/CFT addendum co-authorship; Fit and Proper Policy (A7); Compliance monitoring; Risk framework |
| MLRO (TBC, DIFC) | AML/CFT addendum; goAML registration; STR procedures; financial crime controls |
| Compliance Officer (TBC, DIFC) | Complaints handling procedures (A9); COBS mapping (B9); Regulatory reporting (B5) |
| CISO (Danish Hamid) | IT Security Description (B2); BCP technical sections (B3); ISO 27001 certification; DPL 2020 data mapping (B7) |
| Board / RemNom | INED appointment (A11); Board Charter adoption (A12); Fit and Proper Policy approval (A7); Risk Appetite Statement approval |
Document: Simpaisa Group - Board Presentation Deck and DFSA Category 3D Evidence Matrix Version: 1.0 | April 2026 | Prepared by: Chief Digital Officer Classification: Confidential - Board and Legal Counsel Distribution Only Cross-reference: Simpaisa Group Operating Model v1.0 (17 files, 1.1MB, 28 sections)