Simpaisa Group - Risk and Prudential Suite¶

Three standalone documents are contained in this file:

Financial Crime Risk Assessment (FCRA) - Annual

Capital Adequacy Policy - SGP-FIN-002

Fitness and Propriety Policy - SGP-GOV-007

Document 1¶

Financial Crime Risk Assessment (FCRA)¶

Simpaisa Group - Annual Assessment¶

Assessment Period: Financial Year 2025–2026¶

Field	Detail
Document Type	Risk Assessment (not a policy)
Classification	Confidential - Board Restricted
Owner	MLRO - Shoukat Bizinjo
Approver	Board Audit and Risk Committee (ARC)
Review Frequency	Annual (or following material change)
Next Review Due	April 2027
Version	1.0
Date	April 2026

Table of Contents¶

Executive Summary
Assessment Scope and Methodology
Risk Dimension Ratings: Geography
Risk Dimension Ratings: Customer
Risk Dimension Ratings: Channel and Delivery
Product-Level Assessments
6.1 Pay-Ins
6.2 Pay-Outs
6.3 Remittances
6.4 Crypto Off-Ramping
6.5 White-Label Wallets
Corridor-Level Assessment
Emerging Risks
Control Environment Assessment
Residual Risk Heat Map
Action Plan and Remediation
Board Sign-Off

1. Executive Summary¶

Simpaisa Group is a cross-border payments and financial technology group operating across nine legal entities and eight jurisdictions: Pakistan (PK), Bangladesh (BD), Nepal (NP), Iraq (IQ), the United Arab Emirates (UAE), Canada (CA), the United Kingdom (UK), and Singapore (SG). The Group processes in excess of USD 1 billion annually across its product suite, which comprises Pay-Ins, Pay-Outs, Remittances, Crypto Off-Ramping, and White-Label Wallets.

This Financial Crime Risk Assessment (FCRA) has been prepared by the Group MLRO, Shoukat Bizinjo, in accordance with the DFSA's Anti-Money Laundering, Counter-Terrorist Financing and Sanctions Module (AML Module), and consistent with FATF Recommendations 1 and 2 (risk-based approach). It is presented to the Board Audit and Risk Committee (ARC) for approval.

The assessment identifies, analyses, and documents the Group's exposure to money laundering (ML), terrorist financing (TF), fraud, sanctions evasion, and bribery and corruption across all products, geographies, customer segments, and delivery channels.

Overall Inherent Risk Rating: HIGH

The Group's inherent risk is rated High, primarily driven by:

Significant exposure to high-risk corridors (Canada-to-Pakistan, GCC-to-Bangladesh, UAE-to-Iraq);
Crypto Off-Ramping product, which carries the highest inherent ML/TF risk across the portfolio;
Customer segments including unverified crypto users and agent-mediated remittance senders;
Jurisdictional exposure to countries with elevated FATF grey-list status or limited AML infrastructure.

Residual Risk Rating (post-controls): MEDIUM-HIGH

The Group's AML programme is assessed as partially effective. While foundational controls (KYC, sanctions screening, transaction monitoring) are in place, several gaps in control design and operational consistency reduce their effectiveness. The action plan in Section 11 sets out targeted remediation measures required to bring residual risk to a Medium level within the next 12 months.

2. Assessment Scope and Methodology¶

2.1 Scope¶

This assessment covers:

All products offered by Simpaisa Group as at the assessment date;
All jurisdictions in which the Group operates or has licensed entities;
All customer segments served, including merchants, individual remitters, crypto users, and white-label wallet end-users;
All delivery and payment channels used;
All active payment corridors.

2.2 Methodology¶

The assessment applies a structured, three-stage risk scoring methodology:

Stage 1 - Inherent Risk Score Each risk dimension (product, geography, customer, channel) is rated on a 5-point scale for inherent risk - the risk present before any controls are applied.

Score	Rating
1	Very Low
2	Low
3	Medium
4	High
5	Very High

Stage 2 - Control Effectiveness Score The effectiveness of existing controls is assessed on a 5-point scale:

Score	Effectiveness
1	Very Strong - controls comprehensively mitigate inherent risk
2	Strong
3	Adequate
4	Partial - controls exist but have material gaps
5	Weak - controls are absent or largely ineffective

Stage 3 - Residual Risk Score Residual risk is calculated as:

Residual Risk = Inherent Risk Score + Control Effectiveness Score − 3

Scores are bounded between 1 and 5. This formula ensures that strong controls reduce residual risk below inherent risk, and weak controls leave residual risk at or above inherent risk.

2.3 Risk Categories Assessed¶

Money Laundering (ML)
Terrorist Financing (TF)
Fraud (including card fraud, identity fraud, and social engineering)
Sanctions Evasion
Bribery and Corruption

2.4 Information Sources¶

FATF Mutual Evaluation Reports and follow-up reports for all operating jurisdictions;
DFSA AML Module and associated guidance;
Basel AML Index 2024;
Group transaction data and suspicious activity reporting trends (FY 2024–2025);
Internal audit findings;
Industry typologies published by FATF, Egmont Group, and ACAMS.

3. Risk Dimension Ratings: Geography¶

The jurisdictional risk ratings below reflect the ML/TF environment in each country, including FATF status, quality of AML/CFT frameworks, corruption indices, and the nature of Simpaisa's presence or transactional exposure in each market.

Jurisdiction	FATF Status	Inherent Risk Rating	Score	Rationale
Pakistan (PK)	Grey List (exited 2022; ongoing monitoring)	High	4	High volume of informal value transfer; hawala networks active; corridor risk with GCC; residual grey-list vulnerabilities
Bangladesh (BD)	Under enhanced monitoring (exited 2023)	High	4	Garment sector cash flows; high remittance dependency; enforcement gaps; agent network vulnerabilities
Nepal (NP)	FATF mutual evaluation ongoing	Medium-High	3.5	Informal economy; migrant worker remittance flows; limited AML infrastructure; India corridor risks
Iraq (IQ)	High-risk jurisdiction; active FATF concerns	High	4.5	Sanctions proximity (Iran border); currency substitution; state fragility; terrorism financing risks
UAE	Not on grey list; FATF member; MENAFATF	Medium	3	High cash economy; trade-based ML; real estate; however strong regulatory framework (DFSA, CBUAE)
Canada (CA)	FATF member; strong framework	Low	2	Robust AML regime (FINTRAC); diaspora remittance flows present but well-regulated
United Kingdom (UK)	FATF member; FCA-regulated environment	Low	2	Strong regulatory framework; diaspora corridor; well-supervised MSB environment
Singapore (SG)	FATF member; MAS-regulated	Low	1.5	Highly sophisticated AML regime; low inherent risk; regional hub with strong compliance culture

4. Risk Dimension Ratings: Customer¶

Customer Segment	Inherent Risk	Score	Key Risk Indicators
Verified merchants (domestic and cross-border)	Medium	3	Merchant collusion; structuring through high-volume low-value transactions; refund abuse
Individual remittance senders (retail)	Medium-High	3.5	Smurfing; use of multiple senders for single beneficiary; limited financial sophistication
Agent-mediated remittance customers	High	4	Reduced KYC rigour at agent level; face-to-face cash acceptance; limited traceability
Crypto off-ramp users	High	4.5	Proceeds from mixing services; ransomware; DeFi anonymisation; sanctions evasion via crypto
White-label wallet end-users	High	4	Synthetic identity; stored value abuse; TF via pre-paid instruments; limited issuer oversight
Corporate clients (B2B Pay-Ins / Pay-Outs)	Medium	3	Beneficial ownership opacity; shell company risk; trade finance manipulation
PEPs and their associates	High	4.5	Elevated bribery and corruption risk in high-risk jurisdictions; state-owned enterprise involvement

5. Risk Dimension Ratings: Channel and Delivery¶

Channel	Delivery Type	Inherent Risk	Score	Notes
API / Digital (direct merchant integration)	Non-face-to-face	Medium	3	Strong technical controls possible; fraud via compromised API keys
Mobile wallet (app-based)	Non-face-to-face	Medium-High	3.5	Device takeover; SIM swap; biometric spoofing
OTC / Agent (cash in, cash out)	Face-to-face	High	4.5	Highest ML/TF risk; reduced verification; cash acceptance; agent compliance dependency
Bank transfer (SWIFT, local rails)	Non-face-to-face	Medium	3	Well-understood risk; bank counterparty risk; correspondent banking de-risking
Crypto (blockchain-based settlement)	Non-face-to-face	Very High	5	Pseudonymity; mixing; cross-chain bridging; DeFi interoperability; Travel Rule gaps

Note on face-to-face vs. non-face-to-face: The DFSA AML Module requires enhanced due diligence for non-face-to-face onboarding. However, in Simpaisa's context, OTC/agent channels present higher overall risk despite being face-to-face, due to reliance on third-party agent compliance and cash handling. The digital channels benefit from automated controls and audit trails despite being non-face-to-face.

6. Product-Level Assessments¶

6.1 Pay-Ins¶

Product Description: Pay-Ins enable merchants to accept payments from customers via card, bank transfer, and mobile money. Simpaisa acts as payment aggregator, routing transactions through acquiring relationships. Primary markets: UAE, UK, Pakistan, Bangladesh.

Inherent Risk Rating: Medium-High (Score: 3.5)

Key Financial Crime Typologies:

Card Fraud and Merchant-Facilitated Fraud Merchants accepting stolen card payments and passing funds through the platform constitute a significant risk. This includes the use of Simpaisa's infrastructure to launder the proceeds of card-not-present fraud. The risk is heightened where merchants operate in high-risk MCC categories (gambling-adjacent, digital goods, travel) and where card-issuing jurisdictions differ from acquiring jurisdictions.

Merchant Collusion A merchant may collude with fraudsters to process illegitimate transactions, or may knowingly facilitate money laundering by processing transactions for third parties. Given Simpaisa's exposure to SME merchants in Pakistan and Bangladesh, merchant due diligence standards must be consistently applied. The risk of collusion is elevated where merchant onboarding is intermediated through agents or partners.

Structuring Structuring risk arises where individuals or merchants deliberately break down transactions to fall below reporting or monitoring thresholds. In the Pay-Ins context, this may manifest as multiple small merchant settlements across related entities. Transaction monitoring rules must account for velocity across merchant hierarchies.

Control Environment:

Control	Status	Effectiveness
Merchant KYB (Know Your Business) at onboarding	Implemented	Adequate (3)
MCC-based risk categorisation	Implemented	Adequate (3)
Real-time fraud scoring on card transactions	Partially implemented	Partial (4)
Velocity monitoring across merchant hierarchy	Not fully implemented	Weak (5)
Chargeback monitoring and threshold alerts	Implemented	Strong (2)

Residual Risk Rating: Medium-High (Score: 3.5)

Key Gaps: Real-time fraud scoring is not applied consistently across all acquiring relationships. Velocity monitoring across related merchant entities is not yet operational.

6.2 Pay-Outs¶

Product Description: Pay-Outs enable clients to disburse funds to beneficiaries via bank transfer, mobile money, or cash. Use cases include payroll, supplier payments, and B2C disbursements. Primary markets: Pakistan, Bangladesh, Iraq.

Inherent Risk Rating: High (Score: 4)

Key Financial Crime Typologies:

Money Mule Disbursement Pay-Out infrastructure can be exploited to move funds through networks of money mules - individuals who receive and forward criminal proceeds. In the Pakistan and Bangladesh markets, unemployment and financial exclusion create a vulnerable population susceptible to recruitment as mules. Beneficiary analysis must identify patterns consistent with mule activity, including repeated receipt of funds from unrelated payers and immediate withdrawal upon receipt.

Social Engineering and Authorised Push Payment (APP) Fraud Simpaisa's Pay-Out infrastructure may be used as the destination for APP fraud proceeds, where victims are manipulated into authorising payments to fraudulent beneficiaries. The irreversibility of Pay-Out transactions in many corridors significantly increases harm potential. The risk is heightened by the proliferation of AI-enabled social engineering techniques.

Insider Fraud The Pay-Out product's operational model, which involves manual approval workflows for large or exception transactions, creates insider fraud risk. An internal actor with disbursement authority could authorise payments to fictitious or controlled beneficiaries. Segregation of duties and dual-authorisation controls are essential.

Control Environment:

Control	Status	Effectiveness
Beneficiary KYC verification	Implemented (partial)	Partial (4)
Dual authorisation for transactions above threshold	Implemented	Strong (2)
Beneficiary screening against sanctions lists	Implemented	Adequate (3)
Mule indicator detection in TM rules	Not implemented	Weak (5)
Insider threat monitoring (access logs, approvals)	Partially implemented	Partial (4)

Residual Risk Rating: High (Score: 4)

Key Gaps: Dedicated mule-detection transaction monitoring rules have not been implemented. Beneficiary KYC is inconsistently applied across corridors, particularly in Iraq.

6.3 Remittances¶

Product Description: Remittances enable individuals to send money cross-border, primarily from GCC, UK, and Canada to Pakistan, Bangladesh, and Nepal. Simpaisa operates as a licensed money services business (MSB) / money transfer operator (MTO) in these corridors.

Inherent Risk Rating: High (Score: 4)

Key Financial Crime Typologies:

Smurfing Smurfing - the practice of breaking large sums into smaller transactions across multiple senders or accounts to avoid detection - is a primary risk in the remittance product. Simpaisa's platform may be used by a criminal network coordinating multiple individual senders to a single beneficiary or group of beneficiaries. Aggregated transaction monitoring across sender networks is essential.

Hawala Integration The remittance corridors Simpaisa operates overlap significantly with established hawala networks, particularly in the Pakistan, Bangladesh, and UAE markets. There is a risk that Simpaisa's platform is used in conjunction with informal value transfer, either as the formal leg of a split transaction or as a means of value introduction prior to informal settlement. Agent channel risk is most acute in this regard.

Corridor-Specific Risks

Canada to Pakistan: This corridor carries elevated risk due to the large diaspora population, the historical use of informal transfer mechanisms, and the presence of politically exposed persons and their associates within the Pakistani-Canadian community. The FINTRAC regulatory environment in Canada provides a degree of oversight, but cross-border enforcement coordination remains limited.

GCC to Bangladesh: This is Simpaisa's highest-volume corridor. The garment and migrant worker remittance flows are legitimate but create cover for structuring and layering. The Bangladesh Bank has issued specific guidance on remittance monitoring, and Simpaisa's Bangladesh entity must align with this framework. The risk of agent-facilitated structuring is material.

UAE to Iraq: This corridor presents the highest corridor-level ML/TF risk. Iraq's proximity to sanctioned jurisdictions (Iran, Syria), the active presence of designated terrorist organisations, and the fragility of Iraq's financial system create significant exposure. Enhanced due diligence is mandatory for all transactions in this corridor.

Control Environment:

Control	Status	Effectiveness
Sender KYC (ID verification, source of funds for higher amounts)	Implemented	Adequate (3)
Beneficiary name screening	Implemented	Adequate (3)
Corridor-level risk tiering	Partially implemented	Partial (4)
Aggregated sender network monitoring	Not implemented	Weak (5)
Agent compliance programme (training, audits)	Partially implemented	Partial (4)
FATF Travel Rule compliance	Partially implemented	Partial (4)

Residual Risk Rating: High (Score: 4)

Key Gaps: Aggregated sender network monitoring is absent. Agent compliance programme requires formalisation and consistent audit coverage. Travel Rule implementation is incomplete for outbound transfers.

6.4 Crypto Off-Ramping¶

Product Description: Simpaisa's Crypto Off-Ramping product enables users to convert cryptocurrency (primarily USDT/USDC stablecoins and BTC) to fiat currency, settled via bank transfer or mobile money. This product operates under the DFSA's Virtual Assets framework and equivalent frameworks in other licensing jurisdictions.

Inherent Risk Rating: Very High (Score: 5)

Key Financial Crime Typologies:

Mixing Service Proceeds Cryptocurrency mixing services (tumblers, coin joiners) are used to obscure the transaction history of funds. Off-ramping mixed cryptocurrency to fiat represents a classic laundering typology. Blockchain analytics tools must be deployed to identify transactions with elevated mixing exposure prior to fiat settlement. The risk is heightened by the emergence of cross-chain bridging, which complicates tracing.

Ransomware Proceeds Ransomware attackers typically demand payment in Bitcoin or privacy coins and subsequently attempt to off-ramp proceeds through legitimate financial infrastructure. Simpaisa's off-ramp product is a potential target for this typology. Blockchain analytics should flag addresses associated with known ransomware wallets, and any match should trigger automatic suspension pending MLRO review.

Sanctions Evasion via DeFi Decentralised finance (DeFi) protocols and cross-chain bridges are increasingly used by sanctioned actors to move value across blockchains and obscure the origin of funds before attempting off-ramp to fiat. The Tornado Cash sanctions (OFAC, 2022) established the principle that smart contracts can be sanctioned entities. Simpaisa must screen against both entity-level sanctions and smart contract addresses listed by OFAC and equivalent bodies.

Control Environment:

Control	Status	Effectiveness
Blockchain analytics (Chainalysis / Elliptic integration)	Implemented	Adequate (3)
Sanctions screening of crypto addresses (OFAC, UN, EU)	Implemented	Adequate (3)
Source of funds declaration for off-ramp above threshold	Implemented	Adequate (3)
Automated suspension on high-risk blockchain analytics alerts	Partially implemented	Partial (4)
Cross-chain tracing capability	Not implemented	Weak (5)
DeFi smart contract address screening	Not implemented	Weak (5)

Residual Risk Rating: High (Score: 4.5)

Key Gaps: Cross-chain tracing and DeFi smart contract screening are not yet implemented. Automated suspension on blockchain analytics alerts requires tuning to reduce false negatives without generating excessive false positives.

6.5 White-Label Wallets¶

Product Description: Simpaisa provides white-label wallet infrastructure to third-party clients (fintechs, telcos, banks) who deploy consumer-facing mobile wallet products. Simpaisa holds the regulatory licence and is responsible for the AML/CFT framework. End-user onboarding and customer interaction is managed by the white-label partner.

Inherent Risk Rating: High (Score: 4)

Key Financial Crime Typologies:

Synthetic Identity Fraud The white-label model creates a risk that the partner's onboarding process accepts synthetically constructed identities - combinations of real and fabricated personal data - that pass basic verification checks but do not correspond to real individuals. Synthetic identity fraud is particularly difficult to detect at onboarding because the identity components (e.g., a real government ID number combined with a fictitious name) may appear valid.

Stored Value Abuse Pre-loaded stored value wallets can be used to store and transfer criminal proceeds with limited traceability. The risk is elevated where wallet-to-wallet transfers are permitted without requiring further KYC verification. Limits on stored value balances and daily transaction thresholds are a key mitigant.

Terrorist Financing Small-denomination stored value products have historically been identified by FATF as a risk for terrorist financing, as they can be used to accumulate and transfer funds below reporting thresholds. The white-label distribution model, where funds may be loaded at agent locations, amplifies this risk.

Control Environment:

Control	Status	Effectiveness
Partner due diligence and contractual AML obligations	Implemented	Adequate (3)
Identity verification standards imposed on partners	Implemented (minimum standards)	Partial (4)
Stored value limits (balance and transaction)	Implemented	Strong (2)
Synthetic identity detection tooling at partner level	Dependent on partner	Weak (5)
Ongoing monitoring of partner compliance	Partially implemented	Partial (4)
End-user sanctions screening (via partner)	Implemented (attestation basis)	Partial (4)

Residual Risk Rating: High (Score: 4)

Key Gaps: Simpaisa currently relies on partner attestations for end-user sanctions screening rather than direct access to screening results. Synthetic identity detection is not consistently implemented across partners. Partner compliance monitoring requires a formal audit programme.

7. Corridor-Level Assessment¶

Corridor	Direction	Inherent Risk	Residual Risk	Primary Risk
Canada → Pakistan	Outbound	High (4)	Medium-High (3.5)	Smurfing; diaspora PEP exposure; hawala integration
UK → Pakistan	Outbound	Medium-High (3.5)	Medium (3)	Structuring; informal value transfer
UAE → Pakistan	Outbound	High (4)	High (4)	Cash economy; agent network; corridor volume
UAE → Bangladesh	Outbound	High (4)	High (4)	Garment sector; agent-facilitated structuring
UAE → Nepal	Outbound	Medium-High (3.5)	Medium-High (3.5)	Migrant worker flows; limited beneficiary KYC
UAE → Iraq	Outbound	Very High (5)	High (4.5)	Sanctions proximity; TF risk; fragile financial system
SG → Pakistan	Outbound	Medium (3)	Low-Medium (2.5)	Lower volume; strong SG controls
UK → Bangladesh	Outbound	Medium-High (3.5)	Medium (3)	Structured diaspora flows; FCA oversight of sender
CA → Bangladesh	Outbound	Medium-High (3.5)	Medium (3)	FINTRAC oversight; diaspora structuring risk

The UAE → Iraq corridor is designated as a High-Priority Corridor requiring enhanced monitoring, quarterly corridor-level risk reviews, and individual transaction thresholds below standard product limits.

8. Emerging Risks¶

8.1 AI-Enabled Fraud¶

Generative AI tools are enabling fraudsters to construct more convincing social engineering attacks, create synthetic identity documents that pass optical character recognition (OCR) verification, and automate the testing of payment systems for exploitable patterns. The Group's fraud detection models, many of which were trained on pre-AI-era fraud patterns, may have reduced effectiveness against AI-generated fraud vectors. A programme to update fraud models with AI-era typologies is required.

8.2 Deepfake Identity Verification Evasion¶

Live video-based KYC (liveness checks) is increasingly being defeated by deepfake technology. Fraudsters can now generate real-time synthetic video that passes standard liveness detection. The Group should assess whether its current liveness detection vendors have deployed adversarial deepfake detection and, where not, require upgrades. ISO 30107-3 (Presentation Attack Detection) compliance should be a minimum vendor requirement.

8.3 FATF Travel Rule Gaps¶

The FATF Travel Rule (Recommendation 16) requires virtual asset service providers (VASPs) to share originator and beneficiary information for transfers above USD 1,000. Implementation across the global VASP ecosystem remains uneven. Simpaisa faces the risk of receiving Travel Rule information from counterpart VASPs that is incomplete, inaccurate, or absent. A defined policy for handling non-compliant inbound transfers - including the option to suspend settlement - is required.

8.4 Stablecoin Risks¶

Stablecoins (principally USDT and USDC) account for the majority of Simpaisa's crypto off-ramp volume. The regulatory classification of stablecoins is evolving across key jurisdictions (UAE, UK, EU, SG). Risks include: de-pegging events creating settlement risk; issuer-level sanctions exposure (Tether's historic compliance issues); and the use of algorithmic stablecoins that may become worthless rapidly. The Group should maintain a stablecoin risk register and monitor regulatory developments quarterly.

9. Control Environment Assessment¶

9.1 AML Programme¶

Component	Assessment	Score
AML Policy framework (policies, procedures)	Documented; partially operationalised	Adequate (3)
MLRO resource and expertise	Experienced MLRO in post; team requires expansion	Partial (4)
AML training programme	Annual training delivered; crypto-specific content limited	Adequate (3)
Suspicious activity reporting (SAR) process	Process documented; reporting volumes appropriately calibrated	Adequate (3)
Record-keeping	Systems in place; retention periods being standardised	Adequate (3)

9.2 Sanctions Screening¶

Component	Assessment	Score
Lists screened	OFAC, UN, EU, UK HMT - all active	Strong (2)
Screening frequency	Real-time at onboarding; daily batch for existing customers	Strong (2)
Crypto address screening	Implemented via blockchain analytics	Adequate (3)
Fuzzy matching logic	In place; tuning required to reduce false positive fatigue	Adequate (3)
Escalation and disposition process	Documented; target SLA 4 hours for alerts	Adequate (3)

9.3 Transaction Monitoring¶

Component	Assessment	Score
Rules-based TM system	Deployed across Pay-Ins and Remittances	Adequate (3)
Coverage of Pay-Outs product	Partial - rules under development	Partial (4)
Coverage of Crypto Off-Ramping	Blockchain analytics supplementing TM rules	Partial (4)
Coverage of White-Label Wallets	Partner-dependent; Group-level monitoring limited	Weak (5)
Alert disposition SLA	48-hour target; met 70% of the time	Partial (4)
Model validation	Not completed to date	Weak (5)

9.4 KYC Standards¶

Component	Assessment	Score
Individual KYC (identity verification)	Consistent across digital channels	Adequate (3)
Enhanced Due Diligence (EDD) for high-risk customers	Process defined; execution inconsistent	Partial (4)
PEP identification and screening	Automated PEP screening at onboarding	Adequate (3)
Source of funds verification	Applied above threshold; threshold calibration requires review	Adequate (3)
Periodic review of existing customers	Cycle defined; not fully operational	Partial (4)

9.5 Overall Control Environment Rating: Partially Effective¶

The AML control framework is structurally sound but operationally immature in several key areas. The highest-priority gaps are: transaction monitoring coverage for Pay-Outs and White-Label Wallets; model validation; and TM alert disposition capacity.

10. Residual Risk Heat Map¶

The matrix below presents the residual risk rating for each product by geography, after application of existing controls.

Residual Risk Heat Map - Product x Geography

	PK (High)	BD (High)	NP (Med-High)	IQ (High)	UAE (Med)	CA (Low)	UK (Low)	SG (Low)
Pay-Ins	MED-HIGH	MED-HIGH	MEDIUM	HIGH	MEDIUM	LOW	LOW	LOW
Pay-Outs	HIGH	HIGH	MED-HIGH	VERY HIGH	MED-HIGH	LOW-MED	LOW-MED	N/A
Remittances	HIGH	HIGH	MED-HIGH	VERY HIGH	HIGH	MED-HIGH	MEDIUM	MEDIUM
Crypto	HIGH	HIGH	MED-HIGH	N/A	HIGH	MEDIUM	MEDIUM	MED-HIGH
Wallets	HIGH	HIGH	N/A	HIGH	MED-HIGH	N/A	MEDIUM	N/A

Highest-Priority Cells (Very High / High residual risk): - Pay-Outs: Iraq - Very High - Remittances: Iraq - Very High - Remittances: Pakistan, Bangladesh - High - Pay-Outs: Pakistan, Bangladesh - High - White-Label Wallets: Pakistan, Bangladesh, Iraq - High

11. Action Plan and Remediation¶

The following actions are required to address identified control gaps and reduce residual risk ratings.

Ref	Gap Identified	Required Action	Owner	Priority	Target Date
AP-01	Aggregated sender network monitoring not implemented	Deploy network analysis capability in TM system; define mule network typology rules	Head of Compliance / Technology	Critical	Q3 2026
AP-02	TM model validation not completed	Commission independent TM model validation	MLRO / Internal Audit	Critical	Q2 2026
AP-03	Pay-Outs TM coverage partial	Develop and deploy TM rules set for Pay-Outs product	Head of Compliance	Critical	Q2 2026
AP-04	White-Label Wallet end-user screening on attestation basis	Require direct API integration with Group screening infrastructure for all partners; update partner agreements	MLRO / Commercial	High	Q3 2026
AP-05	Cross-chain tracing capability absent	Procure and integrate cross-chain tracing module (Chainalysis Reactor or equivalent)	Technology / MLRO	High	Q3 2026
AP-06	DeFi smart contract address screening not implemented	Implement OFAC and equivalent smart contract address screening in crypto workflows	Technology	High	Q2 2026
AP-07	Agent compliance programme informal	Formalise agent compliance programme: standard contract, training requirements, annual audit schedule	MLRO / Operations	High	Q3 2026
AP-08	Travel Rule implementation incomplete	Complete Travel Rule implementation for outbound transfers; define policy for non-compliant inbound	Technology / MLRO	High	Q2 2026
AP-09	Liveness detection vendor review	Assess all KYC vendors against ISO 30107-3; require adversarial deepfake detection	Technology / MLRO	Medium	Q3 2026
AP-10	Periodic customer review not fully operational	Activate periodic review cycle: high-risk customers annually, standard customers every 3 years	Head of Compliance	Medium	Q3 2026
AP-11	EDD execution inconsistent	Develop EDD checklist and quality assurance review process	Head of Compliance	Medium	Q2 2026
AP-12	Stablecoin risk register not maintained	Establish stablecoin risk register; assign quarterly review responsibility	MLRO	Low	Q2 2026

12. Board Sign-Off¶

This Financial Crime Risk Assessment has been reviewed and approved by the Board Audit and Risk Committee of Simpaisa Group.

Role	Name	Signature	Date
MLRO (Preparer)	Shoukat Bizinjo
Chief Digital Officer	Daniel O'Reilly
Chief Financial Officer	Mohammad Mustafa
Chair, Board ARC	[ARC Chair Name]
Board ARC Member	[Member Name]
Board ARC Member	[Member Name]

The next Financial Crime Risk Assessment is due for completion by April 2027, or earlier in the event of a material change to the Group's product portfolio, geographic footprint, or regulatory environment.

Document 2¶

Capital Adequacy Policy¶

SGP-FIN-002¶

Simpaisa Group - Finance Policies¶

Field	Detail
Policy Reference	SGP-FIN-002
Policy Title	Capital Adequacy Policy
Classification	Confidential
Owner	CFO - Mohammad Mustafa
Approver	Board of Directors
Review Frequency	Annual
Next Review Due	April 2027
Version	1.0
Date	April 2026
Replaces	N/A (new policy)

Table of Contents¶

Purpose and Scope
Regulatory Framework
Capital Requirements
Capital Composition
Capital Adequacy Calculation
Internal Capital Adequacy Assessment Process (ICAAP)
Capital Monitoring and Reporting
Capital Buffer Requirements
Capital Injection Triggers and Escalation
Wind-Down Planning
Relationship to Group Capital
Roles and Responsibilities
Document Control and Review

1. Purpose and Scope¶

1.1 Purpose¶

This policy establishes Simpaisa Group's framework for managing capital adequacy across its regulated entities, with primary application to Simpaisa DIFC Limited (the "DIFC Entity"), which holds a Category 3D licence issued by the Dubai Financial Services Authority (DFSA). The policy sets out the minimum capital requirements, the methodology for calculating capital adequacy, the internal assessment process, and the monitoring and escalation procedures that govern capital management across the Group.

Capital adequacy is a foundational regulatory obligation and a critical component of the Group's financial resilience. Maintaining adequate regulatory capital protects clients, counterparties, and the financial system from the consequences of firm failure, and demonstrates to regulators, investors, and partners that Simpaisa operates on a sound financial footing.

1.2 Scope¶

This policy applies to:

Simpaisa DIFC Limited (DFSA Category 3D authorised firm) - primary scope;
All other regulated entities within Simpaisa Group, to the extent that equivalent capital adequacy requirements apply in their respective jurisdictions;
The Group Holding Company, in respect of consolidated capital position and intercompany capital support arrangements.

Where local capital requirements in other jurisdictions differ from DFSA requirements, local requirements take precedence for that entity, and the relevant country CFO or Finance lead is responsible for maintaining a supplementary capital adequacy schedule.

2. Regulatory Framework¶

2.1 DFSA Prudential Requirements - Category 3D¶

The DIFC Entity is authorised by the DFSA as a Category 3D firm. Category 3D authorisation covers firms that deal in investments as principal and/or agent but do not hold client assets and are not permitted to act as a market maker. The DFSA's prudential requirements for Category 3D firms are set out in the Prudential - Investment Business (PIB) Rulebook.

The key regulatory capital requirements for Category 3D firms under the PIB Rulebook are:

Base Capital Requirement (BCR): The minimum capital a firm must maintain at all times, regardless of the scale of its activities.
Expenditure Based Capital Minimum (EBCM): A capital floor calculated as a proportion of the firm's annual expenditure, designed to ensure the firm holds sufficient capital to cover an orderly wind-down.
Specific Capital Requirements: Additional requirements that the DFSA may impose on a firm-specific basis following supervisory review.

2.2 Applicable Rulebooks and Guidance¶

DFSA PIB Rulebook (as amended)
DFSA Prudential - Returns (PRU) Module
DFSA General Module (GEN)
Basel III principles (adopted by reference for internal capital assessment purposes)
DFSA Consultation Papers and Supervisory Guidance Notes (as applicable)

2.3 Other Jurisdictional Frameworks¶

Entity	Jurisdiction	Applicable Framework
Simpaisa Pakistan	State Bank of Pakistan	SBP Exchange Companies Regulations
Simpaisa Bangladesh	Bangladesh Bank	MFS Regulations; Bangladesh Bank prudential norms
Simpaisa UK	FCA (authorised as EMI/PI)	FCA Electronic Money Regulations 2011; PSR 2017
Simpaisa Canada	FINTRAC / Provincial	MSB Registration; Provincial licensing requirements
Simpaisa Singapore	MAS	Payment Services Act 2019; MAS capital requirements

Each entity CFO or Finance lead shall maintain a jurisdiction-specific capital schedule aligned with this Group policy.

3. Capital Requirements¶

3.1 Base Capital Requirement¶

The DFSA PIB Rulebook specifies a Base Capital Requirement for Category 3D authorised firms. As at the date of this policy, the minimum BCR for a Category 3D firm is USD 10,000.

Simpaisa maintains a voluntary capital buffer substantially in excess of this regulatory minimum. The Group's internal policy minimum for the DIFC Entity is a maintained capital base of USD 300,000 to USD 500,000, reflecting the Group's assessment of its risk profile, operational requirements, wind-down costs, and DFSA supervisory expectations.

Note: The BCR for Category 3D firms should be confirmed directly with the DFSA on each annual review, as the DFSA may update capital thresholds through rulebook amendments or individual supervisory direction. The CFO is responsible for verifying the applicable BCR with the DFSA's Supervision Division annually and documenting the confirmation.

3.2 Expenditure Based Capital Minimum (EBCM)¶

The EBCM is calculated as 18/52 of the firm's annual audited expenditure - equivalent to approximately 18 weeks of operating costs. This requirement is designed to ensure that a firm holds sufficient capital to fund an orderly wind-down of its DIFC operations.

EBCM Formula:

EBCM = (Annual Audited Expenditure / 52) x 18

Annual Audited Expenditure means the total operating expenditure of the DIFC Entity as reported in its most recently audited financial statements, excluding:

Depreciation and amortisation;
Provisions and impairments;
Profit-sharing and discretionary bonuses;
Exceptional items (with DFSA approval for exclusion);
Expenditure on behalf of related parties where recharged at cost.

The EBCM shall be recalculated each year following completion of the annual audit. An interim estimate shall be prepared for the six-month period using management accounts.

3.3 Specific Capital Requirements¶

The DFSA may impose additional capital requirements on the DIFC Entity following supervisory review, a risk event, or a firm-specific finding. Any such specific requirement shall be treated as a floor and incorporated into the capital adequacy calculation immediately upon notification.

The CFO shall notify the Board within five business days of receiving any DFSA communication relating to a specific capital requirement.

4. Capital Composition¶

4.1 Tier 1 Capital - Common Equity Tier 1 (CET1)¶

CET1 capital is the highest quality form of regulatory capital. For Simpaisa, CET1 capital comprises:

Paid-up share capital: Ordinary share capital fully paid and free from encumbrance. Preference shares with mandatory redemption features are excluded.
Share premium: Premium paid above par value on share issuances.
Retained earnings: Audited accumulated profit and loss reserves. Unaudited current-year profits may be included at the discretion of the CFO, subject to a conservative haircut and DFSA guidance.
Other disclosed reserves: Reserves arising from revaluation or other comprehensive income, to the extent recognised under the PIB Rulebook.

Deductions from CET1: - Goodwill and other intangible assets; - Deferred tax assets that rely on future profitability; - Material holdings in financial institutions; - Reciprocal cross-holdings; - Any item specifically excluded by the DFSA.

4.2 Tier 2 Capital¶

Tier 2 capital is supplementary capital that may be included in regulatory capital calculations subject to DFSA limits. Tier 2 instruments must meet specified eligibility criteria, including minimum maturity, loss absorption features, and no incentive to redeem.

As at the date of this policy, Simpaisa does not hold any Tier 2 capital instruments. Should the Group seek to issue Tier 2 instruments in the future, prior Board approval and DFSA notification shall be required.

Potential Tier 2 instruments (subject to eligibility assessment): - Subordinated debt (minimum five-year maturity; principal loss absorption at point of non-viability); - Subordinated loans from Group entities (subject to DFSA approval and intercompany loan documentation).

4.3 Capital Composition Policy¶

The Group maintains a preference for CET1 as the primary form of regulatory capital. The CFO shall ensure that the CET1 ratio (CET1 as a proportion of total regulatory capital) does not fall below 75%.

5. Capital Adequacy Calculation¶

5.1 Regulatory Capital Requirement¶

The regulatory capital requirement for the DIFC Entity is the highest of:

Capital Requirement = MAX (BCR, EBCM, Specific Capital Requirement)

This is consistent with the DFSA PIB Rulebook's "higher of" approach for Category 3D firms.

5.2 Regulatory Capital Available¶

Regulatory capital available (the numerator) is calculated as:

Regulatory Capital Available = CET1 Capital + Eligible Tier 2 Capital

After applying all applicable deductions as set out in Section 4.

5.3 Capital Surplus / (Deficit)¶

Capital Surplus / (Deficit) = Regulatory Capital Available − Capital Requirement

A positive figure indicates a capital surplus. A negative figure indicates a capital deficiency, which must be remedied immediately and reported to the DFSA in accordance with PIB Module obligations.

5.4 Capital Adequacy Ratio¶

For internal monitoring purposes, the Group also tracks a Capital Adequacy Ratio:

Capital Adequacy Ratio = (Regulatory Capital Available / Capital Requirement) x 100%

A ratio of 100% represents exactly meeting the regulatory minimum. The Group's internal target is a Capital Adequacy Ratio of at least 120%, consistent with the 20% buffer policy set out in Section 8.

5.5 Illustrative Calculation¶

Item	Amount (USD)
Share Capital (paid-up)	500,000
Retained Earnings	(75,000)
Less: Intangible Assets	(12,000)
CET1 Capital Available	413,000
Base Capital Requirement	10,000
EBCM (18/52 x USD 780,000 annual expenditure)	269,538
Specific Capital Requirement	Nil
Regulatory Capital Requirement	269,538
Capital Surplus	143,462
Capital Adequacy Ratio	153%

Note: Figures above are illustrative. Actual figures shall be calculated monthly by the Finance team.

6. Internal Capital Adequacy Assessment Process (ICAAP)¶

6.1 Purpose of the ICAAP¶

The Internal Capital Adequacy Assessment Process (ICAAP) is an annual forward-looking assessment of whether the Group's capital is, and will remain, adequate given its risk profile, business plan, and identified stress scenarios. The ICAAP goes beyond minimum regulatory compliance - it is a management tool for capital planning and risk governance.

6.2 Frequency and Timing¶

The ICAAP shall be conducted annually, timed to align with the Group's annual budget and business planning cycle. The ICAAP report shall be completed by 31 March each year (covering the forward 12-month period) and presented to the Board for approval by 30 April.

6.3 ICAAP Process and Components¶

Step 1: Business Model Assessment Review of the Group's current and planned business activities, revenue model, and strategic objectives, to identify capital implications of planned growth or new product/market entry.

Step 2: Risk Identification Identification of all material risks that could affect capital adequacy, including but not limited to: operational risk, credit risk (counterparty exposure), market risk (FX), liquidity risk, legal and regulatory risk, and reputational risk.

Step 3: Capital Assessment (Base Case) Calculation of regulatory capital requirement under the base case business plan, using the methodology in Section 5. Projection of capital position over the next 12 months, incorporating planned expenditure growth, revenue projections, and any planned capital injections or distributions.

Step 4: Stress Testing Assessment of capital adequacy under each of the stress scenarios defined in Section 6.4. For each scenario, the impact on capital (loss of retained earnings, increase in EBCM due to remediation costs, reduction in available capital) is quantified, and the post-stress capital position is calculated.

Step 5: Capital Planning Based on the base case and stress test results, the ICAAP sets out a capital plan covering: - Whether current capital levels are adequate; - Whether any additional capital is required in the next 12 months; - The source and timing of any planned capital injection; - Contingency measures if stress scenarios materialise.

Step 6: Board Approval and DFSA Submission The ICAAP report shall be approved by the Board. The DFSA may request sight of the ICAAP as part of its supervisory review process. The CFO shall maintain a copy available for DFSA inspection at all times.

6.4 Stress Scenarios¶

The following stress scenarios shall be assessed in each annual ICAAP:

Scenario 1 - Operational Loss Event A material operational failure (e.g., technology outage, processing error, regulatory fine) resulting in an unplanned loss equal to 25% of annual revenue. Impact: reduction in retained earnings; potential regulatory fine increasing specific capital requirement.

Scenario 2 - FX Shock (PKR/BDT Devaluation) A 30% devaluation of the Pakistani Rupee and/or Bangladeshi Taka simultaneously. Impact: reduction in revenue from Pakistan and Bangladesh corridors; FX translation losses on intercompany receivables; potential increase in operational costs in local currency terms.

Scenario 3 - Major Fraud Event A major fraud event (internal or external) resulting in a loss equal to 15% of annual transaction volume processed. Impact: direct financial loss; regulatory investigation costs; potential DFSA-imposed capital requirement uplift.

Scenario 4 - Regulatory Fine Imposition of a material regulatory sanction (DFSA or equivalent) resulting in a fine equal to 10% of annual revenue and associated remediation costs of a further 10% of annual revenue. Impact: direct loss; reputational impact on revenue; potential specific capital requirement.

Scenario 5 - Key Client Loss Loss of the Group's three largest white-label wallet or remittance clients simultaneously. Impact: revenue reduction of approximately [X]%; potential redundancy and restructuring costs; assessment of whether EBCM threshold changes materially.

Scenario 6 - Combined Stress A combination of Scenarios 1 and 5, representing a simultaneous operational failure and key client loss event. This is the most severe scenario and is intended to test whether the Group remains solvent and above minimum regulatory capital requirements under a combined shock.

For each scenario, the ICAAP shall document: (a) the stressed capital position; (b) whether the Group remains above its regulatory minimum; (c) whether the Group remains above its internal policy buffer; and (d) the management actions available to restore capital if required.

7. Capital Monitoring and Reporting¶

7.1 Monthly Monitoring¶

The Finance team shall calculate the Group's regulatory capital position on a monthly basis, within 15 business days of the end of each calendar month. The monthly capital report shall include:

Regulatory capital available (CET1 and Tier 2);
Regulatory capital requirement (BCR, EBCM, specific);
Capital surplus / (deficit);
Capital Adequacy Ratio;
Buffer status (percentage above minimum);
Any material changes since the prior month with explanatory commentary.

The monthly capital report shall be reviewed and signed off by the CFO.

7.2 Quarterly Board Reporting¶

The CFO shall present a capital adequacy summary to the Board of Directors on a quarterly basis, as part of the standard Board financial reporting pack. The quarterly report shall include:

Year-to-date capital position versus the ICAAP base case;
Comparison against internal buffer thresholds;
Any material changes to the capital requirement (e.g., change in audited expenditure, new specific requirement);
Forward-looking 12-month capital projection;
Status of any capital-related action items from prior Board meetings.

7.3 Annual DFSA Regulatory Return¶

The DIFC Entity shall submit its DFSA prudential return (PRU) in accordance with the DFSA's prescribed schedule. The CFO is responsible for ensuring the accuracy and timeliness of all regulatory submissions. The prudential return shall be consistent with the internal monthly capital calculations.

8. Capital Buffer Requirements¶

8.1 Internal Capital Buffer¶

Simpaisa's internal policy requires the Group to maintain a minimum capital buffer of 20% above its regulatory capital requirement at all times. This buffer provides a cushion against unexpected losses or increases in the capital requirement, and provides time for management action before breaching the regulatory minimum.

Internal Policy Minimum = Regulatory Capital Requirement x 120%

Maintaining this buffer is a standing Board-approved requirement and may only be waived by formal Board resolution, which must be notified to the DFSA if the waiver results in the capital position falling below the regulatory minimum.

8.2 Buffer Monitoring¶

The monthly capital report (Section 7.1) shall explicitly track buffer status. The Finance team shall flag any month in which the buffer falls below 25% as an "amber" alert, and below 20% as a "red" alert, with immediate escalation as set out in Section 9.

9. Capital Injection Triggers and Escalation¶

9.1 Amber Alert - Buffer Below 20%¶

If the Capital Adequacy Ratio falls below 120% (i.e., the buffer falls below 20%), the following actions shall be taken:

The CFO shall notify the Board immediately (within two business days of the monthly calculation confirming the breach);
The CFO shall prepare a capital restoration plan, setting out the cause of the breach, the options for remediation (cost reduction, capital injection, intercompany loan), and the recommended course of action;
The Board shall approve the capital restoration plan within ten business days of notification;
The capital position shall be monitored weekly until the buffer is restored.

9.2 Red Alert - Buffer Below 10% (Approaching Regulatory Minimum)¶

If the Capital Adequacy Ratio falls below 110% (i.e., the buffer falls below 10% of the regulatory minimum), the following additional actions shall be taken:

The CFO shall notify the Board on the day the breach is identified;
The Group shall assess whether a notification to the DFSA is required under the PIB Rulebook. If the regulatory minimum itself is breached, or is at risk of being breached within 30 days, the DIFC Entity must notify the DFSA immediately;
The DFSA notification shall be made by the CFO in consultation with the MLRO and external DFSA counsel;
No distributions, dividends, or discretionary payments shall be made from the DIFC Entity until the capital position is restored;
Emergency capital injection options shall be explored and actioned within five business days.

9.3 Capital Deficiency (Breach of Regulatory Minimum)¶

A capital deficiency (regulatory capital available falling below the regulatory capital requirement) is a serious regulatory breach. In addition to the actions in Section 9.2:

The DIFC Entity shall notify the DFSA immediately on the day the deficiency is identified;
Legal counsel (DIFC-regulated law firm with DFSA expertise) shall be engaged immediately;
All new business origination in the DIFC Entity shall be suspended pending restoration of compliance;
The Board shall convene an emergency meeting within 48 hours.

10. Wind-Down Planning¶

10.1 Requirement¶

The DFSA requires that Category 3D authorised firms maintain a credible wind-down plan, and that the EBCM is sufficient to fund an orderly wind-down. The CFO shall maintain a wind-down planning document (updated annually as part of the ICAAP) that estimates the costs and timeline for an orderly wind-down of the DIFC Entity.

10.2 Wind-Down Cost Estimate¶

The wind-down cost estimate shall include, at a minimum:

Cost Category	Basis of Estimate
Staff redundancy costs	Applicable DIFC employment law; 3-month notice periods assumed
Regulatory notification and cooperation costs	DFSA notification; external counsel fees
Technology decommissioning	Infrastructure shutdown; data migration; licence termination fees
Client and counterparty notification	Communications; potential claims management
Office and facilities	Lease termination costs; notice period
Ongoing regulatory obligations during wind-down	Compliance, reporting, and record-keeping through wind-down period
Professional fees	Auditors, legal counsel, insolvency practitioners if required
Contingency (10% of total)	Unidentified costs

The wind-down plan shall estimate the total cost of an orderly wind-down and confirm that the EBCM (18 weeks of expenditure) is sufficient to fund this cost. If the estimated wind-down cost exceeds the EBCM, the CFO shall notify the Board and assess whether additional capital should be maintained.

10.3 Wind-Down Timeline¶

The wind-down plan shall include an estimated timeline from the decision to wind down to the cessation of regulated activities, covering: client notification period; regulatory approval for wind-down; staff offboarding; technology decommissioning; and DFSA deauthorisation.

11. Relationship to Group Capital¶

11.1 Group Holding Company Capital Position¶

The CFO shall maintain visibility of the Simpaisa Group Holding Company's consolidated capital position. The HoldCo capital position is relevant to: the availability of capital support for regulated entities; intercompany loan capacity; and investor and lender assessments of Group financial strength.

The Group CFO shall prepare a consolidated Group capital summary on a quarterly basis, presented alongside the DIFC Entity capital report at Board meetings.

11.2 Intercompany Capital Support Arrangements¶

The Simpaisa Group operates a model of subsidiary self-sufficiency - each regulated entity is expected to maintain its own regulatory capital from its own resources. However, in the event of a capital stress event in any regulated entity, the HoldCo may provide capital support through one of the following mechanisms:

Equity injection: HoldCo subscribes for new shares in the regulated entity (immediate CET1 impact; requires local regulatory notification in most jurisdictions);
Subordinated loan: HoldCo provides a subordinated loan to the regulated entity (eligible as Tier 2 capital, subject to eligibility criteria and local regulatory approval);
Intercompany loan (operational): HoldCo provides a short-term operational loan (not eligible as regulatory capital; may be used to address liquidity pressure while a capital solution is arranged).

Any intercompany capital support arrangement requires Board approval, proper intercompany loan documentation, and notification to the relevant regulator. The CFO shall maintain a register of all intercompany capital support arrangements.

11.3 Capital Fungibility Constraints¶

Capital is not freely fungible across the Group. Regulated entities may not transfer capital or excess liquidity to HoldCo or other Group entities without satisfying their own regulatory capital requirements first. The CFO shall assess fungibility constraints in the ICAAP and ensure that the capital plan reflects the actual available capital in each entity.

12. Roles and Responsibilities¶

Role	Responsibility
Board of Directors	Approve capital adequacy policy; approve ICAAP; receive quarterly capital reports; approve capital restoration plans
CFO (Mohammad Mustafa)	Policy owner; monthly capital calculation; ICAAP preparation; DFSA prudential return submission; escalation as required
Finance Team	Monthly data preparation; regulatory return preparation; capital monitoring
MLRO	Input to ICAAP risk identification; notification obligations in event of capital deficiency
External Auditors	Annual audit of financial statements (basis for EBCM calculation)
DFSA Supervision	Supervisory oversight; receipt of prudential returns; imposing specific capital requirements

13. Document Control and Review¶

This policy shall be reviewed annually by the CFO and approved by the Board. An interim review shall be triggered by any of the following events:

Material change to the DFSA PIB Rulebook capital requirements;
Significant change in the Group's business model, product suite, or geographic footprint;
Capital stress event or capital deficiency;
Material DFSA supervisory finding relating to capital adequacy.

Version	Date	Author	Change Summary
1.0	April 2026	Mohammad Mustafa, CFO	Initial issue

Document 3¶

Fitness and Propriety Policy¶

SGP-GOV-007¶

Simpaisa Group - Governance Policies¶

Field	Detail
Policy Reference	SGP-GOV-007
Policy Title	Fitness and Propriety Policy
Classification	Confidential
Owner	MLRO / Global Head of Regulatory Affairs - Shoukat Bizinjo
Approver	Board of Directors
Review Frequency	Annual
Next Review Due	April 2027
Version	1.0
Date	April 2026
Replaces	N/A (new policy)

Table of Contents¶

Purpose and Scope
Fitness and Propriety Criteria
In-Scope Persons
Pre-Appointment Assessment
DFSA Authorised Individual Application Process
Ongoing Fitness Monitoring
Notification Obligations
Other Jurisdictional Requirements
Remediation
Record-Keeping
Board and RemNom Committee Oversight
Roles and Responsibilities
Document Control and Review

1. Purpose and Scope¶

1.1 Purpose¶

Simpaisa Group is authorised and regulated by the DFSA in the Dubai International Financial Centre (DIFC), and by multiple other financial regulators across its operating jurisdictions. A foundational regulatory requirement of all these authorities is that individuals who hold positions of responsibility within the Group - whether on the Board, in senior management, or in key regulated functions - must be, and remain, fit and proper to hold those positions.

This policy establishes the framework by which the Group assesses, approves, monitors, and where necessary, remedies the fitness and propriety of individuals in positions of regulatory significance. It ensures that the Group meets its obligations to the DFSA and other applicable regulators, and that clients, counterparties, and the financial system can have confidence in the integrity and competence of Simpaisa's leadership and regulated function-holders.

The policy applies the principle that fitness and propriety is not a one-time assessment at the point of appointment - it is a continuous obligation that endures throughout an individual's tenure.

1.2 Scope¶

This policy applies to all persons who meet one or more of the following criteria:

DFSA Authorised Individuals: Any individual who is required to hold DFSA authorisation to perform a licensed function in the DIFC Entity, including the Senior Executive Officer (SEO), Finance Officer, Compliance Officer, MLRO, and any other function specified by the DFSA as requiring individual authorisation;
DFSA Key Persons: Any individual designated as a key person under the DFSA GEN Module, including Board members of the DIFC Entity;
Board Members: All directors of Simpaisa Group Holding Company and all regulated subsidiary boards;
Senior Management: The Group's C-suite and Executive Committee members, regardless of the entity through which they are employed;
Regulated Function Holders: Individuals holding regulated or licensed functions in any of the Group's operating jurisdictions (SBP fit and proper persons in Pakistan; Bangladesh Bank-approved persons; FCA Senior Managers in the UK; MAS fit and proper persons in Singapore; FINTRAC-registered individuals in Canada).

This policy does not apply to non-executive staff who do not hold regulated functions, unless otherwise specified by a relevant regulator.

2. Fitness and Propriety Criteria¶

The DFSA assesses fitness and propriety against three principal criteria, which form the foundation of this policy and are supplemented by equivalent criteria from other jurisdictions where the Group operates.

2.1 Honesty, Integrity, and Reputation¶

An individual must demonstrate that they are honest and have integrity. The assessment of this criterion considers:

Whether the individual has been convicted of, or is subject to, any criminal proceedings, including proceedings for dishonesty, fraud, financial crime, or violence;
Whether the individual has been subject to adverse regulatory findings, disciplinary sanctions, or enforcement action by any regulatory or professional body;
Whether the individual has been disqualified as a company director in any jurisdiction;
Whether the individual has been subject to civil proceedings involving dishonesty, breach of fiduciary duty, or other conduct that calls their integrity into question;
Adverse media reports that suggest conduct inconsistent with the standards expected of a senior individual in a regulated financial institution;
Whether the individual is, or is associated with, a Politically Exposed Person (PEP) in a manner that gives rise to corruption risk;
Whether the individual has been subject to sanctions by any governmental or intergovernmental body.

2.2 Competence and Capability¶

An individual must demonstrate that they have the skills, knowledge, experience, and qualifications necessary to perform the functions for which they are responsible. The assessment of this criterion considers:

Relevant educational qualifications and professional certifications;
Previous experience in financial services or equivalent regulated environments;
Track record of performance in prior roles;
Knowledge of the regulatory environment applicable to the functions they are to perform;
Continuing professional development (CPD) record;
For DFSA Authorised Individuals: specific knowledge of DFSA regulations applicable to their licensed function.

2.3 Financial Soundness¶

An individual must not be in a financial position that could compromise their independence, create conflicts of interest, or make them susceptible to external pressure. The assessment of this criterion considers:

Whether the individual is currently, or has previously been, subject to bankruptcy, individual voluntary arrangement (IVA), or equivalent insolvency proceedings;
Whether the individual has any current county court judgements (CCJs), default judgements, or equivalent court orders in any jurisdiction relating to unpaid debt;
Whether the individual has significant undisclosed debt that creates a vulnerability or conflict of interest;
A general assessment of the individual's financial circumstances, based on a declaration and credit check.

3. In-Scope Persons¶

3.1 Classification¶

All in-scope persons are classified into one of two tiers for the purposes of this policy:

Tier 1 - Highest scrutiny: - DFSA Authorised Individuals; - DFSA Key Persons (including Board members of the DIFC Entity); - Group Board members; - Group C-suite (CEO, CFO, CDO, MLRO, CTO, CCO, and equivalent).

Tier 2 - Standard scrutiny: - Senior managers (direct reports to C-suite and equivalent); - Regulated function holders in other jurisdictions (SBP, Bangladesh Bank, FCA SMR, MAS, FINTRAC); - Company secretaries of regulated entities.

3.2 Assessment Intensity¶

Tier 1 persons are subject to a full assessment as described in Section 4. Tier 2 persons are subject to the same assessment process, with the exception that the DFSA Authorised Individual application process (Section 5) applies only where the individual holds a DFSA-regulated function.

4. Pre-Appointment Assessment¶

No individual shall be appointed to a Tier 1 or Tier 2 position without first completing and satisfying a pre-appointment fitness and propriety assessment. The Global Head of Regulatory Affairs (Shoukat Bizinjo) is responsible for coordinating the pre-appointment assessment process.

4.1 Criminal Record Check¶

A criminal record check shall be obtained for all jurisdictions in which the individual has resided for 90 days or more in the past ten years. For international candidates, this typically requires multiple country-specific checks (e.g., DBS Enhanced Check for UK; RCMP check for Canada; police clearance certificates for UAE, Pakistan, etc.).

The check shall be conducted through a reputable third-party screening provider. The results shall be reviewed by the Global Head of Regulatory Affairs. Any finding - whether a conviction, caution, pending charge, or other adverse disclosure - shall be escalated immediately to the Group CEO and General Counsel, and assessed as to its materiality for fitness purposes.

Minor or historical offences that are clearly unrelated to the individual's suitability for a financial services role shall be documented and may not necessarily disqualify the individual, subject to a documented proportionality assessment. However, any conviction or finding relating to dishonesty, fraud, money laundering, terrorism, sexual offences, violence, or regulatory breaches shall be treated as presumptively disqualifying and shall require Board approval (and, for Tier 1 DFSA positions, DFSA pre-approval) before appointment proceeds.

4.2 Regulatory Reference Check¶

For candidates who have previously held roles in regulated financial services firms, a regulatory reference shall be obtained from each prior employer in the financial services sector in the past six years. The regulatory reference request shall specifically ask:

Whether the individual was subject to any formal investigation, disciplinary action, or performance management related to regulatory compliance, integrity, or financial crime during their employment;
Whether there are any matters that, in the prior employer's opinion, are relevant to the individual's fitness and propriety;
Whether the individual left the employment voluntarily, or was subject to any involuntary exit.

Where a prior employer declines to provide a reference, or provides a reference that raises concerns, this shall be escalated to the Group CEO and treated as a risk factor in the assessment.

4.3 Credit Check and Financial Soundness Declaration¶

A credit check shall be conducted through a recognised credit reference agency for each jurisdiction in which the individual is resident. The credit check results shall be reviewed by the Global Head of Regulatory Affairs.

In addition, the individual shall complete a financial soundness declaration confirming:

Whether they are or have been subject to bankruptcy, IVA, or equivalent insolvency proceedings in any jurisdiction;
Whether they have any unsatisfied CCJs, default judgements, or equivalent;
Whether they have any material undisclosed liabilities;
Whether they have any financial interests that could give rise to a conflict of interest in their proposed role.

Any adverse finding in the credit check or financial soundness declaration shall be assessed for materiality. Current bankruptcy or insolvency proceedings shall be presumptively disqualifying for Tier 1 roles.

4.4 Qualification and Experience Verification¶

The Global Head of Regulatory Affairs shall verify:

All academic qualifications claimed by the individual (degree-level and above, and relevant professional qualifications) by obtaining copies of certificates and verifying with the issuing institution where the qualification is material to the role;
Professional memberships and designations;
Employment history as represented on the individual's CV, with particular attention to: unexplained gaps; discrepancies between stated and actual roles; and any stated roles in firms that cannot be verified.

4.5 PEP and Sanctions Screening¶

All individuals subject to this policy shall be screened against:

OFAC SDN List;
UN Consolidated Sanctions List;
EU Consolidated Sanctions List;
UK HMT Consolidated List;
UAE Local Terrorist Designation Lists;
Commercial PEP and adverse media databases (LexisNexis, Refinitiv World-Check, or equivalent).

The screening shall be conducted prior to appointment and shall cover the individual, their immediate family members (spouse and dependent children), and any entities in which they have a controlling interest. Any match or close match shall be escalated immediately and assessed by the MLRO before appointment proceeds. A confirmed sanctions match is an absolute bar to appointment.

PEP status is not automatically disqualifying, but requires Enhanced Due Diligence as part of the assessment, including source of wealth verification and Board approval.

4.6 Adverse Media Check¶

An adverse media search shall be conducted using professional databases and open-source intelligence techniques, covering the individual's name, known aliases, and associated entities. The search shall cover all jurisdictions of residence and employment, and shall extend back at least ten years. The results shall be reviewed by the Global Head of Regulatory Affairs, and any material adverse finding shall be escalated for assessment.

5. DFSA Authorised Individual Application Process¶

5.1 Scope¶

This section applies specifically to individuals who are required to hold individual authorisation from the DFSA to perform a licensed function in the DIFC Entity. As at the date of this policy, DFSA Authorised Individual status is required for the following functions:

Senior Executive Officer (SEO);
Finance Officer;
Compliance Officer;
Money Laundering Reporting Officer (MLRO);
Any other function specified by the DFSA in the GEN Module or by specific supervisory direction.

5.2 Process¶

The DFSA Authorised Individual application process is as follows:

Step 1 - Pre-application assessment: The pre-appointment assessment in Section 4 shall be completed and documented before the DFSA application is submitted.

Step 2 - Application forms: The DFSA Authorised Individual application form (Form AI) shall be completed by the proposed individual and reviewed by the Global Head of Regulatory Affairs for accuracy and completeness.

Step 3 - Supporting documentation: The application shall be accompanied by: - Certified copy of passport; - Proof of current address; - Curriculum vitae covering the full 10-year employment history; - Copies of relevant qualifications and professional memberships; - Criminal record check results (as applicable); - Regulatory references (as applicable); - Financial soundness declaration; - Business plan / scope of responsibilities description; - Any other documents specified by the DFSA.

Step 4 - Internal review: The completed application pack shall be reviewed and signed off by the Group CEO before submission to the DFSA.

Step 5 - DFSA submission: The application shall be submitted through the DFSA's online portal (the "Firms Gateway") by the Compliance Officer or MLRO.

Step 6 - DFSA review period: The DFSA typically processes Authorised Individual applications within 20-45 business days, though this may vary. During this period, the DFSA may request additional information or arrange an interview with the proposed individual.

Step 7 - Interview preparation: Where the DFSA requests an interview, the Global Head of Regulatory Affairs shall prepare the individual for the interview, covering: the DFSA regulatory framework applicable to their function; the firm's current regulatory status and programme; and likely lines of questioning.

Step 8 - DFSA decision: Upon receipt of the DFSA's decision, the Global Head of Regulatory Affairs shall record the outcome in the Authorised Individuals Register (see Section 10). If the application is refused or conditional approval is granted, this shall be escalated to the Board immediately.

5.3 Acting Up¶

No individual shall perform the functions of a DFSA Authorised Individual role without holding the required authorisation, except where the DFSA permits temporary cover arrangements. In the event that a DFSA Authorised Individual is temporarily absent (e.g., extended leave, resignation), the Global Head of Regulatory Affairs shall assess whether a temporary cover arrangement is permissible under DFSA rules and, if so, notify the DFSA within the required timeframe.

6. Ongoing Fitness Monitoring¶

Fitness and propriety is assessed on a continuous basis, not solely at the point of appointment. The following mechanisms constitute the Group's ongoing fitness monitoring programme.

6.1 Annual Self-Declaration¶

All in-scope persons shall complete an annual fitness and propriety self-declaration by 31 January each year. The self-declaration shall require the individual to confirm:

Whether there have been any changes to their criminal record (charges, convictions, cautions, investigations);
Whether they have been subject to any regulatory investigation, disciplinary action, or sanction by any regulator or professional body since the last declaration;
Whether they have become subject to any insolvency proceedings, or have any material change in their financial circumstances that could affect their fitness;
Whether there are any actual or potential conflicts of interest that have not previously been disclosed;
Whether their qualifications, memberships, and CPD are current and accurate;
Whether they are aware of any other matter that could be material to their fitness and propriety.

Self-declarations shall be submitted to the Global Head of Regulatory Affairs and reviewed within 10 business days. Any adverse disclosure shall be assessed and escalated as appropriate.

6.2 Event-Driven Reassessment¶

An immediate reassessment shall be triggered upon the occurrence of any of the following events, whether arising from the individual's disclosure, the Group's own monitoring, or third-party notification:

Criminal charge, arrest, or conviction in any jurisdiction;
Regulatory investigation, censure, fine, or prohibition by any regulatory or professional body;
Bankruptcy, IVA, or equivalent insolvency event;
County court judgement or equivalent unsatisfied debt order;
Material adverse media coverage;
Identification as a PEP (or change in PEP status of the individual or an immediate family member);
Serious disciplinary matter within the Group;
Material change in financial circumstances as disclosed by the individual.

Upon trigger of an event-driven reassessment, the Global Head of Regulatory Affairs shall:

Notify the Group CEO within one business day;
Conduct an assessment of the materiality of the event within five business days;
Make a recommendation to the Board (for Tier 1 persons) or to the Group CEO (for Tier 2 persons) on whether the individual continues to meet fitness and propriety standards;
Assess whether a notification to the DFSA or other regulator is required (see Section 7).

6.3 Continuous Screening¶

All in-scope persons shall be subject to continuous (or daily batch) screening against sanctions lists and PEP databases. The screening programme shall be maintained by the Compliance function. Any alert generated shall be reviewed within four business hours and escalated to the MLRO if not immediately resolved as a false positive.

7. Notification Obligations¶

7.1 DFSA Notification¶

The DFSA must be notified if there is a material change in the circumstances of a DFSA Authorised Individual that may affect that individual's fitness and propriety. The notification must be made within 10 business days of the Group becoming aware of the relevant change.

Material changes requiring DFSA notification include, but are not limited to:

Criminal charge or conviction;
Regulatory action or investigation by another regulator;
Insolvency event;
Material adverse media event;
Resignation or removal from the Authorised Individual role.

DFSA notifications shall be made by the Compliance Officer or MLRO through the Firms Gateway. The notification shall be factual, complete, and made promptly. The Group shall not delay notification pending resolution of the underlying matter. Legal counsel shall be engaged before making any DFSA notification relating to a criminal or regulatory matter.

7.2 Other Regulator Notification¶

Equivalent notification obligations exist in other jurisdictions. The relevant Compliance or Regulatory Affairs lead in each jurisdiction is responsible for assessing notification obligations and making timely disclosures. Key notification requirements include:

SBP (Pakistan): Notification required for any material adverse change in the fitness of an Exchange Company's key persons;
Bangladesh Bank: Notification required for changes to approved persons;
FCA (UK): Under the Senior Managers Regime, the Group must submit a Form C (cessation) within seven business days of an SMF holder leaving their role, and must make a regulatory reference available to any prospective employer;
MAS (Singapore): Notification of any material change affecting the fitness of Key Individuals;
FINTRAC (Canada): MSB registration must be updated to reflect changes in relevant individual positions.

7.3 Regulatory Reference Obligations¶

Where a former in-scope person seeks employment at another regulated financial services firm and that firm requests a regulatory reference from Simpaisa, the Group must provide an accurate and factual reference. The regulatory reference must disclose:

Whether the individual was subject to any formal investigation or disciplinary action relating to regulatory compliance, integrity, or financial crime during their employment;
Whether they were dismissed or asked to resign in connection with such matters;
Any other information that would be material to the prospective employer's fitness assessment.

Regulatory references must not be misleading by omission. The Global Head of Regulatory Affairs shall approve all regulatory references before they are issued. The Group shall not enter into settlement agreements or non-disclosure arrangements that prevent the provision of honest regulatory references.

8. Other Jurisdictional Requirements¶

8.1 Pakistan - State Bank of Pakistan (SBP)¶

The SBP requires Exchange Companies and their holding structures to ensure that key persons (directors, CEO, compliance officers) meet the SBP's fit and proper criteria, as set out in the Exchange Companies Manual. Key requirements include:

No conviction for financial crime, tax evasion, or moral turpitude;
No history of regulatory action by the SBP or equivalent body;
Minimum educational qualifications (degree-level for most senior positions);
Financial soundness (no default with banks or financial institutions).

The Simpaisa Pakistan compliance team shall maintain SBP fit and proper records and coordinate with the Group function for cross-border candidates.

8.2 Bangladesh - Bangladesh Bank¶

Bangladesh Bank requires that key persons of Mobile Financial Services (MFS) providers and their parent structures meet Bangladesh Bank's fit and proper requirements. The Bangladesh Compliance team shall liaise with the Group function and ensure that all Bangladesh Bank fit and proper approvals are current and that any changes are notified in accordance with Bangladesh Bank's timescales.

8.3 United Kingdom - FCA Senior Managers and Certification Regime (SM&CR)¶

Where the Group's UK entity is authorised by the FCA, the SM&CR applies. The SM&CR imposes individual accountability on Senior Managers and Certified Persons. Key requirements under SM&CR include:

All Senior Managers must be pre-approved by the FCA before taking up their role;
Certified Persons must be assessed and certified as fit and proper by the firm annually;
All FCA-regulated individuals are subject to Conduct Rules, breach of which must be reported to the FCA;
Regulatory references must be provided to requesting firms in a prescribed FCA format.

The UK Compliance team shall maintain SM&CR compliance and coordinate with the Group function. The UK Regulatory Affairs lead shall assess whether any Group-level F&P event triggers SM&CR notification obligations.

8.4 Canada - FINTRAC¶

FINTRAC's MSB registration requires disclosure of all individuals with ownership or control of the business, and persons responsible for compliance. Material changes in these individuals must be updated in the FINTRAC registration. The Canadian Compliance team shall maintain current FINTRAC registration and update as required.

8.5 Singapore - MAS¶

Under the Payment Services Act 2019, MAS requires that Major Payment Institutions and their Key Individuals (as defined by MAS) meet MAS fit and proper standards. MAS applies a broad assessment framework covering honesty, integrity, competence, and financial soundness. The Singapore Compliance team shall liaise with the Group function on all MAS fit and proper matters.

9. Remediation¶

9.1 Principles¶

Where an individual is assessed as failing to meet fitness and propriety standards - whether at pre-appointment assessment or during an event-driven reassessment - the Group shall respond proportionately, balancing regulatory obligations, operational continuity, and the individual's right to a fair process.

The presumption in all cases is that the Group will meet its regulatory obligations in full, including notification obligations, even where this has consequences for the individual concerned.

9.2 Remediation Options¶

Depending on the nature and severity of the fitness or propriety concern, the following remediation options may be considered:

Additional training or supervision: Where the concern relates to a gap in competence or capability (rather than integrity or financial soundness), a structured programme of additional training, mentoring, or enhanced supervision may be sufficient to address the gap. A time-bound remediation plan shall be documented, with clear milestones and a re-assessment date.

Role restriction: Where the concern relates to a specific aspect of the individual's role, the Group may restrict their responsibilities on an interim basis while the concern is investigated or addressed. This is most appropriate where a formal regulatory finding or charge is pending, and the individual's guilt or culpability has not been established.

Role change: Where the individual does not meet the fitness and propriety requirements for their current role but may be suitable for a non-regulated or lower-responsibility position within the Group, a role change may be considered, subject to the individual's agreement and the absence of any regulatory bar on continued employment.

Removal from role: Where the individual's failure to meet fitness and propriety standards is material, or where a role restriction or change is not sufficient or appropriate, the individual shall be removed from their role. Removal shall be handled in accordance with applicable employment law in the relevant jurisdiction, in consultation with HR and legal counsel.

Regulatory notification: In all cases where removal is triggered by a regulatory or criminal finding, or where the DFSA or other regulator requires notification, the appropriate notification shall be made in accordance with Section 7, irrespective of the individual's employment status.

9.3 Interim Measures¶

Where an event-driven reassessment is triggered and the outcome is not yet determined, the Global Head of Regulatory Affairs may recommend interim measures to the Group CEO, including temporary suspension from regulated functions or enhanced oversight, pending the outcome of the assessment. Interim measures shall be proportionate and shall not pre-judge the outcome.

10. Record-Keeping¶

10.1 Authorised Individuals Register¶

The Global Head of Regulatory Affairs shall maintain a Group Authorised Individuals Register, which records:

All in-scope persons, categorised by tier and jurisdiction;
The date and outcome of each pre-appointment assessment;
The date and outcome of each annual self-declaration;
DFSA Authorised Individual application status and reference number;
Equivalent regulatory approvals in other jurisdictions;
Any event-driven reassessments and their outcomes;
Any notifications made to regulators;
Date of departure from the Group, and any post-departure regulatory reference provided.

The Register shall be maintained in a secure system and access shall be restricted to the Global Head of Regulatory Affairs, MLRO, Group CEO, and Board Audit and Risk Committee.

10.2 Retention Period¶

All fitness and propriety assessment records - including criminal record checks, regulatory references, credit check results, self-declarations, and assessment decisions - shall be retained for a minimum of six years from the date of the individual's departure from the Group, or from the date of assessment if the individual was not appointed.

This retention period reflects the DFSA's record-keeping requirements and the limitation periods applicable to regulatory and civil proceedings in DIFC and other key jurisdictions.

10.3 Data Protection¶

All personal data processed as part of the fitness and propriety assessment process shall be handled in accordance with the Group's Data Protection Policy and applicable data protection legislation (DIFC Data Protection Law 2020; UK GDPR; and equivalent local laws). Criminal record data and other sensitive personal data shall be subject to enhanced access controls and shall only be retained for as long as necessary for the purpose for which it was collected.

11. Board and RemNom Committee Oversight¶

11.1 Board Responsibilities¶

The Board of Directors is responsible for:

Approving this policy and ensuring it is consistent with the Group's regulatory obligations;
Approving the appointment and removal of all Tier 1 in-scope persons;
Receiving an annual report from the Global Head of Regulatory Affairs on the operation of the fitness and propriety programme, including: the number of assessments conducted; any material adverse findings; any regulatory notifications made; and any remediation actions taken;
Receiving immediate notification of any material fitness and propriety event affecting a Tier 1 person.

11.2 Remuneration and Nominations Committee (RemNom)¶

Where the Group has a Remuneration and Nominations Committee, that Committee shall:

Review and recommend to the Board the appointment of all Tier 1 in-scope persons, following receipt of the pre-appointment fitness and propriety assessment;
Oversee the ongoing fitness monitoring programme on behalf of the Board;
Consider any remediation recommendations involving Tier 1 persons.

Where the Group does not have a formal RemNom Committee, these responsibilities shall be discharged by the full Board.

11.3 Annual Board Report¶

The Global Head of Regulatory Affairs shall present an annual Fitness and Propriety Report to the Board each April, covering the preceding year. The report shall include:

Number of pre-appointment assessments conducted;
Number of DFSA Authorised Individual applications submitted and outcomes;
Number of annual self-declarations received and any material disclosures;
Number of event-driven reassessments triggered and outcomes;
Number of regulatory notifications made to the DFSA and other regulators;
Any open remediation actions and their status;
Any changes to the regulatory F&P landscape in operating jurisdictions;
Recommendations for changes to this policy or the assessment process.

12. Roles and Responsibilities¶

Role	Responsibility
Board of Directors	Policy approval; appointment approval for Tier 1; receipt of annual F&P report
RemNom Committee	Pre-appointment recommendation for Tier 1; oversight of programme
Global Head of Regulatory Affairs / MLRO (Shoukat Bizinjo)	Policy owner; pre-appointment assessment coordination; annual self-declaration administration; event-driven reassessment; DFSA application management; Authorised Individuals Register maintenance; annual Board report
Group CEO	Approval of DFSA Authorised Individual applications; receipt of Tier 2 remediation recommendations; escalation point
HR	Coordination of criminal record checks and employment verification; employment law advice on remediation; regulatory reference drafting support
Legal Counsel	Advice on regulatory notification obligations; regulatory reference content; remediation employment law issues
Country Compliance Teams	Local regulatory F&P compliance; coordination with Group function on cross-border candidates; local regulatory authority notifications
In-Scope Individuals	Annual self-declaration submission; prompt disclosure of material changes; cooperation with assessment process

13. Document Control and Review¶

This policy shall be reviewed annually by the Global Head of Regulatory Affairs and approved by the Board. An interim review shall be triggered by any of the following:

Material change to DFSA GEN Module or PIB Module requirements relating to Authorised Individuals or Key Persons;
Regulatory change in any other operating jurisdiction affecting individual approval requirements;
Material fitness and propriety event requiring policy revision;
Regulatory finding or audit recommendation relating to F&P processes.

Version	Date	Author	Change Summary
1.0	April 2026	Shoukat Bizinjo, MLRO	Initial issue

End of Document - Simpaisa Group Risk and Prudential Suite v1.0 - April 2026 Classification: Confidential - Board Restricted