Cross-Border Compliance Framework
Organisation: Simpaisa Holdings
Document Owner: Daniel O'Reilly, Chief Digital Officer
Classification: Confidential
Version: 1.0
Date: 3 April 2026
Status: Active
Jurisdictions: Pakistan, Bangladesh, Nepal, Iraq, UAE
Table of Contents
- Purpose
- Jurisdiction Overview
- Per-Jurisdiction Compliance Requirements
- Compliance Matrix
- Product-Specific Compliance
- Reporting Calendar
- Compliance Monitoring
- Risk Matrix
- Remediation Tracker
- Appendix: Key Regulatory References
1. Purpose
Simpaisa operates a payment gateway across five jurisdictions, each with distinct regulatory regimes, licensing requirements, data protection rules, and reporting obligations. This framework exists to:
- Map every compliance obligation across all jurisdictions to ensure nothing is missed.
- Identify gaps between current capabilities and regulatory requirements.
- Provide a single reference for the CDO, Compliance, Legal, and Engineering teams when making product, infrastructure, or data architecture decisions.
- Prevent regulatory surprises — a compliance failure in any single jurisdiction can cascade to affect operations in all markets (reputational damage, partner confidence, licence reviews in other jurisdictions).
1.1 Business Context
| Metric |
Value |
| Annual transactions |
270M+ |
| Annual transaction value |
$1B+ |
| Operating markets |
Pakistan, Bangladesh, Nepal, Iraq |
| Holding company |
UAE (Simpaisa Holdings) |
| Product lines |
Pay-Ins, Pay-Outs (Disbursements), Remittances, Cards |
2. Jurisdiction Overview
| Jurisdiction |
Regulator |
Licence Type |
Primary Legislation |
Secondary Regulations |
| Pakistan |
State Bank of Pakistan (SBP) — Payment Systems Department (PSP&OD) |
PSO/PSP Licence |
Payment Systems and Electronic Fund Transfers Act 2007 (PS&EFT Act) |
PSO/PSP Rules 2014 (PSD Circular No. 03/2014); EMI Regulations 2023; AML Act 2010; Electronic Transactions Ordinance 2002; SBP Technology Risk Management Framework 2025 |
| Bangladesh |
Bangladesh Bank — Payment Systems Department |
PSP Licence / MFS Licence |
Bangladesh Payment and Settlement Systems Regulations 2014 |
MFS Regulations 2022; Money Laundering Prevention Act 2012 (MLPA); Anti-Terrorism Act 2009; ICT Security Guideline v4.0 (2023); BFIU circulars |
| Nepal |
Nepal Rastra Bank (NRB) — Payment Systems Department |
PSP Licence |
Payment and Settlement Act 2075 (2019) |
Payment and Settlement Bylaw 2072 (2015, amended); Licensing Policy for Payment Institutions 2079 (2023); NRB Unified Directives |
| Iraq |
Central Bank of Iraq (CBI) |
Electronic Payment Service Provider Licence |
Central Bank of Iraq Law No. 56 of 2004 |
Electronic Payment Services Regulation 2024 (Official Gazette, 29 April 2024); AML/CFT Law No. 39 of 2015; CBI digital banking regulations (March 2024) |
| UAE |
DFSA (DIFC) / CBUAE (onshore) |
Holding company registration (DIFC); CBUAE RPSCS licence if offering retail payment services onshore |
DIFC Regulatory Law 2004; Federal Decree-Law No. 14 of 2018 (CBUAE Law, replaced by New CBUAE Law effective Sept 2025) |
DIFC Data Protection Law No. 5 of 2020; CBUAE Retail Payment Services and Card Schemes Regulation (Circular 15/2021); Federal Decree-Law No. 45 of 2021 on Personal Data Protection |
3. Per-Jurisdiction Compliance Requirements
3.1 Pakistan (SBP)
| Requirement |
Detail |
| Regulatory body |
State Bank of Pakistan — Payment Systems & Oversight Department (PSP&OD). Primary contact: PSD circulars and formal correspondence. |
| Licence conditions |
PSO/PSP licence under PS&EFT Act 2007. Renewal conditions tied to ongoing compliance with PSD circulars. Products, schemes, and service offerings require prior SBP approval. Changes to technological platforms require prior SBP approval. |
| Data localisation |
Mandatory. PSO/PSP Rules 2014 require maintaining processing systems within Pakistan. Transaction data must reside on servers located in Pakistan. SBP Cloud Outsourcing Framework (BPRD Circular 04/2023) permits cloud usage but critical data must remain within Pakistan or approved jurisdictions. |
| Transaction reporting |
Daily settlement reporting to SBP. Monthly statistical returns to Payment Systems Department. Annual payment systems review data submission. Suspicious Transaction Reports (STRs) to Financial Monitoring Unit (FMU) as required. |
| AML/KYC |
AML Act 2010 and SBP AML/CFT regulations. Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) for high-risk transactions. Sanctions screening (UN, OFAC, local lists). STR filing with FMU. Record retention: 5 years post-transaction. |
| Incident reporting |
Immediate notification to SBP PSD for security incidents affecting payment systems. CERT-PK notification for cybersecurity incidents. No specific timeline codified; "as soon as practicable" is the standard. |
| Audit requirements |
Annual external audit (Big 4 or SBP-approved auditor). SBP on-site inspection at SBP's discretion. IS audit as required by SBP Technology Risk Management Framework 2025. |
| Capital adequacy |
As specified in PSO/PSP Rules 2014; minimum paid-up capital requirements per licence category. |
| Consumer protection |
Fair treatment of consumers; transparent fee disclosure; dispute resolution mechanism required. |
| Cross-border restrictions |
Remittance transactions governed by SBP Foreign Exchange regulations. Authorised dealer licences required for FX transactions. Home remittance facilitation through authorised channels only. |
| Technology requirements |
SBP Technology Risk Management Framework 2025 (PSP&OD Circular 04/2025). Business continuity and disaster recovery planning mandatory. Information security management per SBP guidelines. |
| Record retention |
Electronic records of transactions: minimum 10 years (PS&EFT Regulations). AML records: minimum 5 years (AML Act 2010). |
3.2 Bangladesh (Bangladesh Bank)
| Requirement |
Detail |
| Regulatory body |
Bangladesh Bank — Payment Systems Department. BFIU (Bangladesh Financial Intelligence Unit) for AML. |
| Licence conditions |
PSP licence under Bangladesh Payment and Settlement Systems Regulations 2014. MFS licence for mobile financial services under MFS Regulations 2022. A scheduled commercial bank or financial institution must establish a subsidiary with a bank or non-bank entity as equity partner to obtain MFS licence. |
| Data localisation |
Mandatory. Bangladesh Bank ICT Security Guideline v4.0 (2023) requires financial data to be stored within Bangladesh. MFS Regulations 2022 mandate data localisation for all MFS-related data. All manufactured, collected, and processed data must be stored inside the country per ICT policy. |
| Transaction reporting |
Monthly reporting to Bangladesh Bank Payment Systems Department. Real-time reporting for transactions exceeding threshold amounts. STR/SAR filing with BFIU. Annual audited financial statements. |
| AML/KYC |
Money Laundering Prevention Act 2012 (MLPA). Anti-Terrorism Act 2009. BFIU circulars on CDD, EDD, and PEP screening. MFS providers must monitor transaction patterns for unauthorised/suspicious activities. Agent sensitisation on AML/CFT risks required. |
| Incident reporting |
Bangladesh Bank: within 24 hours for significant incidents. BFIU: immediate notification for AML-related breaches. BB ICT Security Guideline requires immediate incident reporting to BB. |
| Audit requirements |
Annual external audit. Bangladesh Bank on-site inspection — Bangladesh Bank reserves the right to conduct on-site inspections at any time. IS audit per ICT Security Guideline v4.0. |
| Capital adequacy |
As specified in PSP/MFS licence conditions. MFS providers must maintain minimum capital as prescribed by Bangladesh Bank. |
| Consumer protection |
MFS Regulations 2022 include consumer protection provisions: transparent pricing, dispute resolution, fund segregation. Customer funds must be maintained in a trust account. |
| Cross-border restrictions |
Bangladesh Bank foreign exchange regulations apply to cross-border transactions. Remittance inflows through authorised channels. |
| Technology requirements |
ICT Security Guideline v4.0 (2023) — comprehensive technology and security requirements for all financial institutions. Robust IT infrastructure mandatory. |
| Record retention |
Transaction records: minimum 5 years. AML records: minimum 5 years (MLPA 2012). Audit trail: minimum 5 years. |
3.3 Nepal (Nepal Rastra Bank)
| Requirement |
Detail |
| Regulatory body |
Nepal Rastra Bank — Payment Systems Department. Financial Information Unit (FIU) for AML. |
| Licence conditions |
PSP licence under Payment and Settlement Act 2075 (2019). Section 5 prohibits operating as PSO/PSP without prior NRB approval/licence. Licensing Policy for Payment Institutions 2079 (2023) defines licence categories and requirements. Minimum paid-up capital: NPR 150 million (domestic PSP); NPR 250 million (PSP with foreign investment). |
| Data localisation |
Mandatory. NRB requires PSP infrastructure to be located in Nepal. Government-approved data centres only. Payment and Settlement Act 2019 grants NRB authority to specify infrastructure requirements. |
| Transaction reporting |
Monthly reporting to NRB Payment Systems Department per Section 27 of the Act. Reporting requirements as specified in NRB directives. STR filing with FIU. |
| AML/KYC |
Asset (Money) Laundering Prevention Act 2064 (2008). NRB KYC directives. CDD and EDD requirements. PEP and sanctions screening. |
| Incident reporting |
NRB: within 24 hours for significant incidents. NRB Payment Systems Department to be notified of any disruption to payment services. |
| Audit requirements |
Annual external audit (NRB-approved auditor). NRB supervision, monitoring, and inspection per Section 42 of the Act. NRB may issue regulatory directions per Section 45. |
| Capital adequacy |
Minimum paid-up capital as specified in Licensing Policy 2079: NPR 150 million (domestic); NPR 250 million (foreign investment). Additional capital requirements based on transaction volume. |
| Consumer protection |
Transparent fee structures and disclosure policies. Service Level Agreements (SLAs) with partner institutions. Clear and timely transaction receipts to customers. Dispute resolution mechanism. |
| Cross-border restrictions |
Foreign exchange transactions governed by NRB Foreign Exchange Regulation Act. Nepal Rastra Bank controls on cross-border payment flows. |
| Technology requirements |
Adequate technology infrastructure per NRB directives. Cybersecurity requirements per NRB circulars. Business continuity planning. |
| Record retention |
Transaction records: minimum 5 years. AML records: minimum 5 years. Clear segregation of customer funds from operational accounts. Adequate liquidity for settlement obligations. |
3.4 Iraq (CBI)
| Requirement |
Detail |
| Regulatory body |
Central Bank of Iraq (CBI). AML/CFT Office for anti-money laundering. |
| Licence conditions |
Electronic Payment Service Provider licence under CBI Electronic Payment Services Regulation 2024 (published in Official Gazette, 29 April 2024, replacing the 2014 regulation). Entities must obtain a licence from CBI. Service providers required to adjust operations to comply within 6 months of enforcement date. |
| Data localisation |
Mandatory. CBI requires comprehensive records of all customer data and transactions to be maintained within Iraq. Minimum 5-year retention within Iraq. CBI requires on-site inspection capability. |
| Transaction reporting |
Detailed reporting standards per CBI Electronic Payment Services Regulation 2024. AML/CFT compliance reporting to CBI AML/CFT Office. Suspicious Transaction Reports as required. |
| AML/KYC |
AML/CFT Law No. 39 of 2015. CBI AML/CFT regulations and circulars. Robust AML compliance mandated by Electronic Payment Services Regulation 2024. Secure authentication (OTPs, biometrics). Mandatory reporting of suspicious activity. |
| Incident reporting |
CBI: within 24 hours for significant incidents. Cybersecurity incidents reported to CBI per regulation. |
| Audit requirements |
Annual external audit (CBI-approved auditor). CBI on-site inspection at CBI's discretion. Cybersecurity audit per CBI requirements. |
| Capital adequacy |
As specified in CBI Electronic Payment Services Regulation 2024. Capital requirements for electronic payment service providers. |
| Consumer protection |
Consumer protection provisions in CBI regulation. Transparency and trust in digital transactions. Secure authentication requirements. |
| Cross-border restrictions |
CBI foreign exchange controls. Cross-border payment regulations per CBI circulars. |
| Technology requirements |
Robust cybersecurity measures mandated by CBI Electronic Payment Services Regulation 2024. Technology and security standards per CBI circulars. |
| Record retention |
Customer data and transactions: minimum 5 years (CBI Regulation 2024). AML records: minimum 5 years. |
3.5 UAE — Holding Company (DIFC / CBUAE)
| Requirement |
Detail |
| Regulatory body |
Dubai Financial Services Authority (DFSA) for DIFC entities. Central Bank of UAE (CBUAE) for onshore operations. Data Protection Commissioner (DIFC) for data protection. |
| Licence conditions |
DIFC: holding company registration if not offering financial services from DIFC. CBUAE: Retail Payment Services and Card Schemes (RPSCS) licence required if offering retail payment services onshore UAE (Circular 15/2021). New CBUAE Law effective September 2025 — existing regulations remain in force until replaced. Capital requirements scale with transaction volumes; AED 100,000 minimum for payment initiation services. |
| Data localisation |
DIFC: No mandatory data localisation. Cross-border transfers permitted to jurisdictions with adequate protection or with appropriate safeguards (standard contractual clauses, binding corporate rules). Onshore UAE: Federal Decree-Law No. 45 of 2021 — data localisation requirements per sector-specific regulations. |
| Transaction reporting |
DFSA/CBUAE reporting as required by licence conditions. Annual audited financial statements. Regulatory returns per CBUAE schedule. |
| AML/KYC |
Federal AML Law (Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering). CBUAE AML/CFT regulations. CDD, EDD, sanctions screening. STR filing with UAE Financial Intelligence Unit (FIU). |
| Incident reporting |
DIFC Data Protection Commissioner: within 72 hours for personal data breaches (DIFC Data Protection Law 2020, Article 41). CBUAE: as required by licence conditions. |
| Audit requirements |
Annual external audit. DFSA/CBUAE inspection at regulator's discretion. |
| Capital adequacy |
CBUAE RPSCS: capital requirements scale with average monthly transaction value. Exceeding AED 10 million monthly average for three consecutive months triggers higher capital obligations. CBUAE reserves right to impose higher aggregate capital requirements. |
| Consumer protection |
CBUAE Consumer Protection Regulation (Circular 8/2020). DIFC Consumer Protection regime. Data subject rights under DIFC Data Protection Law 2020. |
| Cross-border restrictions |
UAE FX regulations per CBUAE. DIFC operates as a common law jurisdiction with its own regulatory framework. |
| Technology requirements |
CBUAE technology and cybersecurity requirements per RPSCS regulation. DIFC technology governance per DFSA regulations. |
| Record retention |
DFSA/DIFC: 6 years. CBUAE: as per RPSCS regulation. AML records: 6 years. |
4. Compliance Matrix
4.1 Cross-Jurisdiction Requirement Comparison
| Requirement |
PK (SBP) |
BD (BB) |
NP (NRB) |
IQ (CBI) |
AE (DIFC/CBUAE) |
| Data localisation |
Mandatory |
Mandatory |
Mandatory |
Mandatory |
DIFC: No; Onshore: Sector-specific |
| Incident reporting timeline |
Immediate / ASAP |
24 hours |
24 hours |
24 hours |
72 hours (DIFC DPA) |
| Audit frequency |
Annual + SBP on-site |
Annual + BB on-site |
Annual + NRB on-site |
Annual + CBI on-site |
Annual + DFSA/CBUAE on-site |
| Transaction retention |
10 years |
5 years |
5 years |
5 years |
6 years |
| AML record retention |
5 years |
5 years |
5 years |
5 years |
6 years |
| Audit trail retention |
5 years |
5 years |
5 years |
5 years |
6 years |
| AML reporting |
FMU (STRs) |
BFIU (STRs) |
FIU (STRs) |
CBI AML Office |
UAE FIU (STRs) |
| Consumer data protection law |
Pending legislation |
Digital Security Act 2018 |
Individual Privacy Act 2018 |
No comprehensive law |
DIFC DPL 2020; Federal DL 45/2021 |
| Right to erasure |
No |
Limited |
Limited |
No |
Yes (DIFC DPL Art 24) |
| Capital adequacy |
Per PSO/PSP Rules |
Per BB licence |
NPR 150M (domestic) / 250M (foreign) |
Per CBI Regulation |
Per CBUAE RPSCS (scales with volume) |
| Prior approval for tech changes |
Yes (SBP) |
Yes (BB) |
Yes (NRB) |
Yes (CBI) |
Per licence conditions |
| Prior approval for products |
Yes (SBP) |
Yes (BB) |
Yes (NRB) |
Yes (CBI) |
Per licence conditions |
4.2 Simpaisa Policy: Apply the Strictest
When requirements conflict across jurisdictions, Simpaisa applies the most restrictive requirement as the global baseline:
| Requirement |
Strictest Jurisdiction |
Simpaisa Global Standard |
| Transaction retention |
Pakistan (10 years) |
10 years across all markets |
| AML record retention |
UAE (6 years) |
6 years across all markets (exceeds PK/BD/NP/IQ 5-year requirement) |
| Incident reporting |
UAE (72 hours for data breach); Pakistan (immediate) |
2 hours for critical incidents across all markets (Simpaisa internal standard) |
| Data localisation |
PK, BD, NP, IQ (mandatory) |
Per-market data residency — transaction data remains in the originating jurisdiction |
| Right to erasure |
UAE |
Supported — anonymisation of PII after retention period, with regulatory holds respected |
5. Product-Specific Compliance
5.1 Pay-Ins
| Compliance Area |
Requirements |
Applicable Jurisdictions |
| Telco billing regulations |
Compliance with PTA (Pakistan Telecommunication Authority) regulations for carrier billing. Operator-specific terms of service. Revenue share reporting to operators. |
PK (Easypaisa, JazzCash), BD (bKash, Nagad), NP (eSewa, Khalti) |
| Wallet regulations |
Per-operator wallet regulations and transaction limits. SBP EMI Regulations 2023 for electronic money issuance in Pakistan. BB MFS Regulations 2022 for mobile money in Bangladesh. NRB PSP licensing for payment wallets in Nepal. |
PK, BD, NP |
| Transaction limits |
Per-transaction and daily limits as prescribed by regulators. Pakistan: SBP-mandated limits per transaction type. Bangladesh: BB-mandated MFS transaction limits. Nepal: NRB-prescribed limits. |
All markets |
| Consumer consent |
Explicit customer consent required before charging. OTP verification for mobile-initiated payments. Transparent fee disclosure to end-user. |
All markets |
| Refund regulations |
Refund processing within regulator-prescribed timeframes. Merchant refund policies must comply with consumer protection regulations. |
All markets |
5.2 Pay-Outs (Disbursements)
| Compliance Area |
Requirements |
Applicable Jurisdictions |
| Bank transfer regulations |
Compliance with interbank transfer regulations. NIFT (National Institutional Facilitation Technologies) rules in Pakistan. Bangladesh Bank BEFTN (Bangladesh Electronic Fund Transfer Network) rules. |
PK, BD |
| Anti-fraud requirements |
Beneficiary verification before disbursement. Dual-authorisation for high-value disbursements. Velocity checks — flag unusual disbursement patterns. |
All markets |
| Beneficiary screening |
Sanctions list screening (UN, OFAC, local lists) before every disbursement. PEP (Politically Exposed Persons) screening. Adverse media screening for high-value beneficiaries. |
All markets |
| Settlement requirements |
Same-day settlement per regulator requirements. Settlement reconciliation reporting. |
All markets |
| Tax withholding |
Applicable tax deductions at source (TDS) per jurisdiction. Pakistan: FBR withholding tax requirements. |
PK, BD |
5.3 Remittances
| Compliance Area |
Requirements |
Applicable Jurisdictions |
| Cross-border remittance regulations |
SBP home remittance regulations (Pakistan as destination). Bangladesh Bank foreign remittance regulations. NRB remittance inflow regulations. |
PK → BD, PK → NP |
| FX rate disclosure |
Applicable exchange rate must be disclosed to sender before confirmation. Rate lock period documented (e.g., 30-second quote validity). Total cost of remittance (fees + FX margin) disclosed per World Bank transparency principles. |
All corridors |
| AML enhanced due diligence |
FATF Travel Rule compliance — originator and beneficiary information must accompany cross-border transfers. Enhanced due diligence for remittances exceeding threshold amounts. Sanctions screening at both originating and destination ends. Country-risk assessment for each corridor. |
All corridors |
| Corridor-specific regulations |
PK → BD: SBP authorised dealer requirements; BB inward remittance reporting. PK → NP: NRB inward remittance regulations. |
Per corridor |
| Authorised channel requirements |
Remittances must flow through authorised channels per SBP. Pakistan Remittance Initiative (PRI) compliance. |
PK (origination) |
5.4 Cards
| Compliance Area |
Requirements |
Applicable Jurisdictions |
| PCI DSS v4.0.1 |
Full PCI DSS compliance for card data processing. Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC) depending on transaction volume. Quarterly network vulnerability scans by Approved Scanning Vendor (ASV). Annual penetration testing. PAN storage prohibited post-authorisation (tokenisation required). CVV must never be stored. |
All markets handling card transactions |
| Card scheme rules |
Visa Core Rules and Visa Product and Service Rules. Mastercard Standards and Rules. Scheme-specific requirements for dispute resolution, chargebacks, and refunds. |
All markets handling card transactions |
| 3D Secure |
3DS2 (EMV 3-D Secure) required for card-not-present transactions. SCA (Strong Customer Authentication) per scheme requirements. |
All markets handling card transactions |
| Chargeback management |
Chargeback response within card scheme timelines (Visa: 30 days; Mastercard: 45 days). Compelling evidence requirements. Chargeback monitoring: scheme thresholds (Visa: 0.9% chargeback ratio; Mastercard: 1.0%). |
All markets handling card transactions |
| Card data residency |
Card data processing environment may have additional residency requirements per card scheme and local regulator. |
Per market |
6. Reporting Calendar
6.1 Monthly Obligations
| Month |
Pakistan (SBP) |
Bangladesh (BB) |
Nepal (NRB) |
Iraq (CBI) |
UAE (DFSA/CBUAE) |
| Jan |
Monthly stats |
Monthly stats |
Monthly stats; NRB mid-year review prep |
Monthly stats |
CBUAE quarterly return (Q4) |
| Feb |
Monthly stats |
Monthly stats |
Monthly stats |
Monthly stats |
Monthly stats |
| Mar |
Monthly stats; SBP quarterly return (Q3) |
Monthly stats; BB quarterly return |
Monthly stats; NRB quarterly return |
Monthly stats; CBI quarterly return |
Monthly stats |
| Apr |
Monthly stats |
Monthly stats |
Monthly stats |
Monthly stats |
CBUAE quarterly return (Q1) |
| May |
Monthly stats |
Monthly stats |
Monthly stats |
Monthly stats |
Monthly stats |
| Jun |
Monthly stats; SBP quarterly return (Q4); Annual review data |
Monthly stats; BB quarterly return |
Monthly stats; NRB annual review (fiscal year-end Ashad) |
Monthly stats; CBI quarterly return |
Monthly stats |
| Jul |
Monthly stats; Annual audit submission |
Monthly stats |
Monthly stats; NRB annual report |
Monthly stats |
CBUAE quarterly return (Q2); DFSA annual return |
| Aug |
Monthly stats |
Monthly stats |
Monthly stats |
Monthly stats |
Monthly stats |
| Sep |
Monthly stats; SBP quarterly return (Q1) |
Monthly stats; BB quarterly return |
Monthly stats; NRB quarterly return |
Monthly stats; CBI quarterly return |
Monthly stats |
| Oct |
Monthly stats |
Monthly stats |
Monthly stats |
Monthly stats |
CBUAE quarterly return (Q3) |
| Nov |
Monthly stats |
Monthly stats |
Monthly stats |
Monthly stats |
Monthly stats |
| Dec |
Monthly stats; SBP quarterly return (Q2); Annual compliance review |
Monthly stats; BB quarterly return; Annual audit |
Monthly stats; NRB quarterly return; Mid-year review (Poush) |
Monthly stats; CBI quarterly return; Annual audit |
Monthly stats; Annual audit; DIFC DPA compliance review |
6.2 Annual Obligations
| Obligation | PK | BD | NP | IQ | AE |
|-----------|----|----|----|----|----|----|
| External audit | By Sep (post-Jun FY end) | By Mar (post-Dec FY end) | By Oct (post-Ashad FY end) | Per CBI schedule | Per DFSA/CBUAE schedule |
| AML compliance report | Annual to SBP FMU | Annual to BFIU | Annual to NRB FIU | Annual to CBI AML Office | Annual to UAE FIU |
| Licence renewal | Per SBP schedule | Per BB schedule | Per NRB schedule | Per CBI schedule | Per DFSA/CBUAE schedule |
| PCI DSS assessment | Annual SAQ/ROC | Annual SAQ/ROC | Annual SAQ/ROC | Annual SAQ/ROC | Annual SAQ/ROC |
| Penetration test | Annual (SBP requirement) | Annual (BB ICT Guideline) | Annual (NRB requirement) | Annual (CBI requirement) | Annual (DFSA/CBUAE requirement) |
| DR test | Annual (SBP requirement) | Annual (BB requirement) | Annual (NRB requirement) | Annual (CBI requirement) | Annual (DFSA/CBUAE requirement) |
7. Compliance Monitoring
7.1 Compliance Evidence Trail
| Evidence Type |
Purpose |
Storage |
Retention |
| Transaction audit logs |
Prove transaction processing meets regulatory requirements |
OpenSearch + S3 (per-market) |
10 years (SBP maximum) |
| AML screening records |
Prove sanctions/PEP screening was performed for every transaction |
AML screening system + S3 |
6 years (FTRA maximum) |
| Consent records |
Prove customer consent was obtained for each transaction |
Database + S3 |
Duration of relationship + 5 years |
| Data access logs |
Prove PII access is authorised and audited |
CloudTrail + OpenSearch |
10 years |
| Incident reports |
Prove incidents were handled per regulatory timelines |
Incident management system + S3 |
10 years |
| Regulatory correspondence |
Prove timely responses to regulatory queries |
Document management system |
10 years |
| Audit reports |
Prove annual audit obligations met |
Document management system |
10 years |
| Training records |
Prove staff received compliance training |
HR system |
Duration of employment + 5 years |
7.2 Compliance Dashboard (Grafana)
| Panel |
Description |
| Obligation tracker |
Calendar view of upcoming regulatory deadlines per jurisdiction |
| AML screening rate |
Percentage of transactions screened vs. total (must be 100%) |
| STR filing status |
Number of STRs filed per jurisdiction per month |
| Data residency compliance |
Confirmation that per-market data remains in designated infrastructure |
| Retention compliance |
Status of automated archival/deletion per data type per jurisdiction |
| Incident response times |
Time-to-report for security incidents vs. regulatory requirements |
| Audit finding tracker |
Open findings from external audits with remediation status |
7.3 Compliance Reviews
| Review |
Frequency |
Participants |
Output |
| Weekly compliance standup |
Weekly |
Compliance Officer, CDO, Legal |
Status update on open obligations, upcoming deadlines, ongoing investigations |
| Monthly compliance review |
Monthly |
CDO, Compliance, Legal, Engineering leads |
Detailed review of compliance posture, audit findings, remediation progress |
| Quarterly regulatory review |
Quarterly |
CDO, Compliance, Legal, external counsel |
Review of regulatory changes across all jurisdictions; impact assessment on Simpaisa operations |
| Annual compliance audit |
Annually |
CDO, Board, external auditor |
Comprehensive compliance assessment; board reporting |
8. Risk Matrix
8.1 Compliance Risk Assessment
| Risk |
Jurisdiction(s) |
Likelihood |
Impact |
Overall Risk |
Mitigation |
| PII stored in plain text |
All |
High — current state confirmed |
Critical — regulatory sanctions, breach damage in all markets |
Critical |
Column-level encryption programme (see PII-HANDLING-STANDARD.md) |
| Data localisation non-compliance |
PK, BD, NP, IQ |
Medium — infrastructure assessment needed |
High — licence revocation, operational shutdown in market |
High |
Per-market infrastructure assessment; confirm data residency compliance per jurisdiction |
| No documented rate limiting |
All |
High — confirmed gap |
High — DoS vulnerability; regulatory concern about security controls |
High |
Rate limiting implementation (see RATE-LIMITING-POLICY.md) |
| No secret rotation schedule |
All |
High — confirmed gap |
High — compromised credentials enable unauthorised access |
High |
Secret rotation programme (see SECRET-MANAGEMENT-STANDARD.md) |
| Webhook payloads unsigned |
All |
High — confirmed gap |
Critical — payment status spoofing, financial fraud |
Critical |
Webhook signing implementation (see SECURITY-ARCHITECTURE.md) |
| AML screening completeness unknown |
All |
Medium — screening may exist but is undocumented |
Critical — regulatory sanctions, licence revocation |
High |
Document and verify AML screening coverage; ensure 100% screening rate |
| Incident reporting timelines untested |
BD, NP, IQ |
Medium — no evidence of incident reporting drill |
High — regulatory sanctions for late reporting |
Medium |
Conduct incident response drill across all active markets |
| PCI DSS compliance gaps |
All (Cards) |
Medium — card data encrypted but full compliance undocumented |
Critical — card scheme penalties, processing suspension |
High |
Formal PCI DSS assessment; SAQ or ROC completion |
| Cross-border data flow undocumented |
PK → BD, PK → NP |
High — confirmed gap |
High — regulatory breach in multiple jurisdictions |
High |
Data flow register maintained and reviewed quarterly (see DATA-ARCHITECTURE.md) |
| Consumer protection mechanisms weak |
All |
Medium — dispute resolution undocumented |
Medium — regulatory sanctions, consumer complaints |
Medium |
Document dispute resolution process per jurisdiction |
| Technology change approval not obtained |
PK, BD |
Low — uncertain if SBP/BB approval obtained for tech changes |
High — regulatory non-compliance |
Medium |
Verify prior approvals; establish process for future tech changes |
8.2 Risk Scoring
| Score |
Likelihood |
Impact |
| Critical |
Near certain to occur or has already occurred |
Licence revocation, operational shutdown, significant financial penalty |
| High |
Probable within 12 months |
Regulatory sanctions, significant remediation cost, reputational damage |
| Medium |
Possible within 12 months |
Regulatory warning, moderate remediation cost |
| Low |
Unlikely within 12 months |
Minor administrative action |
| ID |
Finding |
Source |
Jurisdictions |
Priority |
Status |
Owner |
Target Date |
| CR-01 |
PII stored in plain text across all products |
Security Architecture (Section 11); Data Architecture (Section 6) |
All |
P0 |
Not started |
Data Platform + Engineering |
Q3 2026 |
| CR-02 |
No documented rate limiting |
Security Architecture (Section 7) |
All |
P0 |
Standard written; implementation pending |
Platform Engineering |
Q2 2026 |
| CR-03 |
Webhook payloads unsigned |
Security Architecture (Section 8) |
All |
P0 |
Not started |
Engineering |
Q2 2026 |
| CR-04 |
Surge token in deploy.sh |
Security Architecture (Section 10) |
N/A (infrastructure) |
P0 |
Known; rotate immediately |
Platform Engineering |
Immediate |
| CR-05 |
No secret rotation schedule |
Security Architecture (Section 10); Infrastructure Standards (Section 11) |
All |
P1 |
Standard written; implementation pending |
Platform Engineering |
Q2 2026 |
| CR-06 |
Data localisation compliance unverified |
Data Architecture (Section 8) |
PK, BD, NP, IQ |
P1 |
Assessment needed |
Compliance + Infrastructure |
Q2 2026 |
| CR-07 |
Cross-border data flow documentation incomplete |
Data Architecture (Section 8) |
All |
P1 |
Partially documented |
Compliance + Data Platform |
Q2 2026 |
| CR-08 |
PCI DSS compliance undocumented for Cards |
Security Architecture (Section 14) |
All (Cards) |
P1 |
Assessment needed |
Compliance + Security |
Q3 2026 |
| CR-09 |
AML screening coverage undocumented |
This document (Section 8) |
All |
P1 |
Assessment needed |
Compliance |
Q2 2026 |
| CR-10 |
Incident response drill not conducted |
Incident Response Playbook |
All |
P2 |
Playbook written; drill not conducted |
Security + Compliance |
Q2 2026 |
| CR-11 |
Consumer protection / dispute resolution undocumented |
This document (Section 5) |
All |
P2 |
Not started |
Compliance + Product |
Q3 2026 |
| CR-12 |
SBP/BB prior approval for technology changes unverified |
This document (Section 3) |
PK, BD |
P2 |
Assessment needed |
Compliance + Legal |
Q2 2026 |
| Priority |
Definition |
Timeline |
| P0 |
Compliance failure that could result in immediate regulatory action or active security vulnerability |
Immediate (days to weeks) |
| P1 |
Compliance gap that must be addressed to prevent regulatory risk in next audit cycle |
Within current quarter |
| P2 |
Compliance improvement that strengthens posture but is not an immediate regulatory risk |
Within 2 quarters |
| P3 |
Best practice adoption; no immediate regulatory risk |
Within 12 months |
10. Appendix: Key Regulatory References
10.1 Pakistan
| Regulation |
Reference |
URL / Source |
| Payment Systems and Electronic Fund Transfers Act 2007 |
PS&EFT Act |
SBP legislation repository |
| Rules for Payment System Operators and Payment Service Providers 2014 |
PSD Circular No. 03 of 2014 |
https://www.sbp.org.pk/psd/2014/C3-Annex.pdf |
| Electronic Fund Transfers Regulations |
PSD 2018 Annex A |
https://www.sbp.org.pk/psd/2018/C3-Annex-A.pdf |
| Regulations for Electronic Money Institutions (EMIs) 2023 |
PSD 2023 Circular |
https://www.sbp.org.pk/psd/2023/C3-Enclosure-Regulations-EMIs.pdf |
| Anti-Money Laundering Act 2010 |
AML Act |
National Assembly legislation |
| SBP Cloud Outsourcing Framework |
BPRD Circular 04/2023 |
https://www.sbp.org.pk/bprd/2023/C4.htm |
| Technology Risk Management Framework 2025 |
PSP&OD Circular 04/2025 |
https://www.sbp.org.pk/psd/2025/C4-annex.pdf |
| PSP&OD Circular No. 02 of 2025 |
Latest PSP&OD circular |
https://www.sbp.org.pk/psd/2025/C2.htm |
10.2 Bangladesh
| Regulation |
Reference |
URL / Source |
| Bangladesh Payment and Settlement Systems Regulations 2014 |
BB PSD regulations |
Bangladesh Bank PSD |
| Mobile Financial Services (MFS) Regulations 2022 |
BB MFS Regulations |
https://www.bb.org.bd/aboutus/draftguinotification/guideline/mfs_final_v9.pdf |
| BB PSD Circular 04/2022 (MFS Regulations) |
PSD Circular |
https://www.bb.org.bd/mediaroom/circulars/psd/feb152022psd04e.pdf |
| Money Laundering Prevention Act 2012 |
MLPA 2012 |
Bangladesh national legislation |
| Anti-Terrorism Act 2009 |
ATA 2009 |
Bangladesh national legislation |
| ICT Security Guideline v4.0, 2023 |
BB ICT Security |
https://www.bb.org.bd/aboutus/regulationguideline/brpd/guideline_v3_ict.pdf (v3; v4 via BB website) |
| BFIU circulars |
AML/CFT guidance |
Bangladesh Bank BFIU |
10.3 Nepal
| Regulation |
Reference |
URL / Source |
| Payment and Settlement Act 2075 (2019) |
NRB PSA |
Nepal Rastra Bank PSD |
| Payment and Settlement Bylaw 2072 (2015, amended) |
NRB PSB |
https://www.nrb.org.np/contents/uploads/2019/12/PS_bylaw_2072_ii_amendment_in_english.pdf |
| Licensing Policy for Payment Institutions 2079 (2023) |
NRB licensing |
https://pradhanlaw.com/publications/licensing-policy-for-institutions-that-perform-payment-related-work-2079-2023-ad |
| Asset (Money) Laundering Prevention Act 2064 (2008) |
AML Act |
Nepal national legislation |
| NRB Payment Systems Oversight Reports |
Annual reports |
https://www.nrb.org.np/psd/ |
| National Payment Switch (NPS) Master Reference Document 2025 |
NPS framework |
https://www.nrb.org.np/contents/uploads/2025/10/National-Payment-Switch-NPS-and-the-National-Payment-Ecosystem-Master-Reference-Document-2025.pdf |
10.4 Iraq
| Regulation |
Reference |
URL / Source |
| Central Bank of Iraq Law No. 56 of 2004 |
CBI Law |
CBI legislation |
| Electronic Payment Services Regulation 2024 |
CBI EPS Regulation (Official Gazette, 29 April 2024) |
https://www.iraq-businessnews.com/2025/05/01/central-bank-of-iraq-issues-new-regs-for-electronic-payment-providers/ |
| AML/CFT Law No. 39 of 2015 |
AML/CFT Law |
Iraq national legislation; https://membercheck.com/aml-cft-legislation-in-iraq/ |
| CBI Digital Banking Regulations (March 2024) |
CBI digital banking |
CBI circulars |
10.5 UAE
| Regulation |
Reference |
URL / Source |
| DIFC Data Protection Law No. 5 of 2020 |
DIFC DPL |
https://www.difc.com/business/laws-and-regulations/legal-database/difc-laws/data-protection-law-difc-law-no-5-2020 |
| DIFC Data Protection Regulations |
DIFC DPR |
https://www.dataguidance.com/sites/default/files/data_protection_regualtions_final.pdf |
| CBUAE Retail Payment Services and Card Schemes Regulation |
Circular 15/2021 |
https://rulebook.centralbank.ae/en/rulebook/retail-payment-services-and-card-schemes-regulation |
| New CBUAE Law (effective September 2025) |
Replaces 2018 Law |
https://www.whitecase.com/insight-alert/uae-enacts-new-cbuae-law-which-repeals-and-replaces-2018-law |
| Federal Decree-Law No. 45 of 2021 on Personal Data Protection |
Federal DPL |
UAE federal legislation |
| Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering |
Federal AML |
UAE federal legislation |
| CBUAE Consumer Protection Regulation |
Circular 8/2020 |
CBUAE rulebook |
Cross-References