W-31: Compliance & Regulatory Ways of Work¶

Field	Value
Document	W-31
Title	Compliance & Regulatory Ways of Work
Status	Draft
Owner	Global Head Regulatory (Shoukat Bizinjo)
Created	2026-04-05
Review	Quarterly
Depends On	W-01 (Company Operating Rhythm), W-22 (Country Operations Ways of Work), Regulatory Playbooks (PK, BD, NP, IQ, AE, KSA), STD-GOV-132 (Compliance Calendar Automation)

Purpose¶

Define how Simpaisa's compliance and regulatory function operates across all six markets. This document establishes the cadences, processes, and responsibilities for regulatory reporting, STR filing, audit preparation, licence management, compliance monitoring, regulatory change management, AML/KYC programme reviews, and sanctions screening.

Simpaisa operates as a licensed payment service provider in multiple jurisdictions, each with distinct regulatory frameworks. A single compliance failure in any market can result in licence suspension, fines, or reputational damage. This document ensures consistent, auditable compliance practices across the group.

1. Regulatory Reporting Calendar¶

1.1 Master Calendar¶

The regulatory reporting calendar is maintained in the compliance management system and synchronised with STD-GOV-132 (Compliance Calendar Automation). The Global Head Regulatory owns the master calendar.

Market	Regulator	Report	Frequency	Deadline	Preparer	Reviewer
PK	SBP	Transaction volumes and values	Monthly	15th of following month	PK Compliance Officer	Global Head Regulatory
PK	FMU	CTR (Currency Transaction Report)	Monthly	15th of following month	PK Compliance Officer	Global Head Regulatory
PK	PTA	Service quality metrics	Quarterly	30 days after quarter end	PK Compliance Officer	Global Head Regulatory
BD	BB	MFS transaction returns	Monthly	10th of following month	BD Compliance Officer	Global Head Regulatory
BD	BFIU	AML compliance report	Quarterly	30 days after quarter end	BD Compliance Officer	Global Head Regulatory
NP	NRB	PSP transaction report	Monthly	15th of following month	NP Compliance Officer	Global Head Regulatory
NP	FIU-Nepal	AML compliance report	Quarterly	30 days after quarter end	NP Compliance Officer	Global Head Regulatory
IQ	CBI	Transaction and compliance report	Monthly	20th of following month	IQ Compliance Officer	Global Head Regulatory
AE	CBUAE	SVF/PSP returns	Quarterly	45 days after quarter end	AE Compliance Officer	Global Head Regulatory
AE	SCA	Consumer protection report	Annual	Per SCA calendar	AE Compliance Officer	Global Head Regulatory
KSA	SAMA	Pre-launch: sandbox reports	As required	Per SAMA schedule	KSA Compliance Officer	Global Head Regulatory

1.2 Reporting Process¶

Country Compliance Officer prepares the report using the approved template (per the relevant Regulatory Playbook).
Report submitted to the Global Head Regulatory for review at least 3 business days before the regulatory deadline.
Global Head Regulatory reviews and approves.
Country Compliance Officer submits to the regulator.
Submission confirmation (receipt, reference number) logged in the compliance management system.
If a deadline is at risk of being missed, the Country Head and CEO are notified immediately.

1.3 Playbook References¶

Each market's detailed reporting requirements, templates, and regulator contact details are in the relevant Regulatory Playbook:

2. STR Filing Process¶

2.1 Suspicious Transaction Report (STR) Obligations¶

STR filing is a legal obligation in all markets where Simpaisa operates. Failure to file can result in criminal penalties.

Market	Filing Authority	Filing Deadline	Minimum Threshold
PK	FMU (Financial Monitoring Unit)	Within 7 days of suspicion	No threshold — suspicion-based
BD	BFIU (Bangladesh Financial Intelligence Unit)	Within 24 hours of suspicion	No threshold — suspicion-based
NP	FIU-Nepal	Within 3 days of suspicion	No threshold — suspicion-based
IQ	AML/CFT Directorate (CBI)	Within 5 days of suspicion	No threshold — suspicion-based
AE	UAE FIU (goAML)	Within 24 hours of suspicion	No threshold — suspicion-based

2.2 STR Filing Workflow¶

Transaction flagged (automated or manual)
    │
    ▼
Operations analyst reviews within 4 hours (W-20 §1.3)
    │
    ├─ False positive → Document rationale; close alert
    │
    └─ Suspicious → Escalate to Country Compliance Officer
        │
        ▼
    Country Compliance Officer investigates (24 hours max)
        │
        ├─ Not suspicious → Document rationale; close alert; retain records
        │
        └─ Suspicious → Prepare STR
            │
            ▼
        Global Head Regulatory reviews STR (within 4 hours)
            │
            ▼
        Country Compliance Officer files with relevant FIU
            │
            ▼
        Filing confirmation logged; transaction records preserved
            │
            ▼
        No tipping-off: merchant and customer NOT informed

2.3 Tipping-Off Prevention¶

STR-related information is restricted to the compliance team and the Global Head Regulatory.
Operations staff who flag suspicious transactions are told only that the matter is "under compliance review."
No information about STR filings is shared with merchants, partners, or customers.
Tipping-off is a criminal offence in all markets; all compliance staff receive annual training on this obligation.

2.4 Record Retention¶

All STR-related records (transaction data, investigation notes, filing confirmations) are retained for a minimum of 7 years (or longer if required by local law).
Records are stored in the compliance management system with restricted access.

3. Audit Preparation¶

3.1 Types of Audit¶

Audit Type	Frequency	Lead	Typical Duration
External financial audit	Annual	CFO + External Auditor	6–8 weeks
SBP inspection (PK)	Annual or ad hoc	Global Head Regulatory + PK Country Head	1–4 weeks
BB inspection (BD)	Annual or ad hoc	Global Head Regulatory + BD Country Head	1–2 weeks
NRB inspection (NP)	Annual or ad hoc	Global Head Regulatory + NP Country Head	1 week
CBI inspection (IQ)	Periodic	Global Head Regulatory + IQ Country Head	1 week
CBUAE inspection (AE)	Periodic	Global Head Regulatory + AE Country Head	1–2 weeks
Internal audit	Semi-annual	CFO / Internal Audit	2–4 weeks
IT/Security audit	Annual	CISO (CDO)	2–4 weeks

3.2 Audit Preparation Process¶

Standing readiness (continuous):

Compliance management system is kept up to date at all times.
All regulatory reports, STR filings, and correspondence are filed and indexed.
Transaction records are retained per the data retention policy.
KYC/KYB files for all active merchants are complete and current.

Pre-audit preparation (T-30 days):

Global Head Regulatory notifies the Country Head and relevant central functions.
Compliance team compiles an audit preparation pack: regulatory reports filed, STRs filed, compliance monitoring results, training records, policy documents.
Finance prepares the financial records and reconciliations.
CDO provides system access for IT audits (read-only access, auditor-specific credentials).
Dry run: internal review of the audit pack for completeness and accuracy.

During audit:

Global Head Regulatory (or designated deputy) is the primary point of contact for the auditor/inspector.
All information requests are channelled through the compliance team — no direct access to systems or staff without coordination.
Daily debrief between the compliance team and the Country Head.
Any adverse finding is escalated to the CEO within 24 hours.

Post-audit:

Audit findings documented and tracked in the compliance management system.
Remediation plan prepared within 14 days of receiving the audit report.
CFO and CEO sign off on the remediation plan.
Remediation progress tracked monthly until all items closed.

4. Licence Renewal Tracking¶

4.1 Active Licences¶

Market	Licence Type	Regulator	Renewal Frequency	Current Expiry
PK	PSP/PSO licence	SBP	Annual	Per SBP schedule
BD	MFS licence	BB	Annual	Per BB schedule
NP	PSP licence	NRB	Annual	Per NRB schedule
IQ	E-payment licence	CBI	Annual	Per CBI schedule
AE	SVF/Retail Payment Service licence	CBUAE	Annual	Per CBUAE schedule
KSA	Payment institution licence	SAMA	Pre-launch application	N/A

4.2 Renewal Process¶

Milestone	Timeline	Owner
Renewal reminder generated	T-90 days	Compliance Calendar Automation (STD-GOV-132)
Renewal requirements confirmed with regulator	T-75 days	Country Compliance Officer
Renewal documentation prepared	T-60 days	Country Compliance Officer
Global Head Regulatory reviews	T-45 days	Global Head Regulatory
CFO reviews financial submissions (if required)	T-30 days	CFO
CEO signs off	T-21 days	CEO
Application submitted	T-14 days (minimum)	Country Compliance Officer
Confirmation of renewal received and filed	T+0	Country Compliance Officer

4.3 Licence Risk¶

If a licence renewal is at risk (regulatory concern, outstanding audit findings, late documentation):

Global Head Regulatory escalates to CEO immediately.
A remediation task force is convened (Global Head Regulatory, Country Head, CFO, CDO if technical matters are involved).
Daily progress updates to CEO until the risk is resolved.
If licence suspension is imminent, contingency planning is activated (transaction wind-down, merchant notification, regulatory engagement).

5. Compliance Monitoring Cadence¶

5.1 Daily¶

Activity	Owner	Output
Sanctions screening of new merchants and beneficiaries	Compliance system (automated)	Alerts for manual review
Transaction monitoring alerts reviewed	Operations + Compliance	Flagged transactions investigated
PEP (Politically Exposed Person) screening of new customers	Compliance system (automated)	Alerts for manual review

5.2 Monthly¶

Activity	Owner	Output
Compliance dashboard review (alerts, STRs, screening hits)	Global Head Regulatory	Monthly compliance summary
KYC/KYB file completeness check (sample-based)	Country Compliance Officers	Exception report
Policy compliance spot checks	Country Compliance Officers	Spot check report
Compliance training completion tracking	HR + Compliance	Training status report

5.3 Quarterly¶

Activity	Owner	Output
Quarterly compliance report to ELT	Global Head Regulatory	Formal compliance report
Regulatory risk assessment update	Global Head Regulatory	Updated risk register
AML programme effectiveness review	Global Head Regulatory	Review findings and actions
Board Compliance & Regulatory Committee report	Global Head Regulatory	Board paper

5.4 Annual¶

Activity	Owner	Output
AML/KYC programme review (per market)	Global Head Regulatory	Annual programme report (§7 below)
Compliance policy review and update	Global Head Regulatory	Updated policies
Enterprise-wide risk assessment	Global Head Regulatory + CFO	Risk assessment report
Compliance training programme refresh	Global Head Regulatory + HR	Updated training plan

6. Regulatory Change Management¶

6.1 Identification¶

Regulatory changes are identified through:

Regulator publications and circulars (monitored daily by Country Compliance Officers).
Industry associations and working groups (PK: PSPA; BD: BPSS; AE: various).
Legal counsel updates.
Peer monitoring (what are other PSPs/fintechs being required to do?).
Global Head Regulatory network and regulator relationships.

6.2 Assessment Process¶

New regulation / circular identified
    │
    ▼
Country Compliance Officer logs in compliance management system
    │
    ▼
Global Head Regulatory assesses impact (within 48 hours)
    │
    ├─ Low impact (reporting format change, minor update)
    │   └─ Country Compliance Officer implements; no escalation
    │
    ├─ Medium impact (process change, new reporting requirement)
    │   └─ Global Head Regulatory coordinates with affected functions
    │       └─ Implementation plan within 14 days
    │
    └─ High impact (licence condition change, new product restriction, capital requirement)
        └─ CEO and ELT briefed within 24 hours
            └─ Cross-functional task force convened
                └─ Implementation plan within 7 days

6.3 Implementation¶

Step	Owner	Timeline
Impact assessment documented	Global Head Regulatory	Per §6.2
Affected policies and procedures identified	Compliance team	Within 5 business days of assessment
System changes required identified (if any)	CDO	Within 5 business days
Implementation plan approved	Global Head Regulatory (medium) or CEO (high)	Per §6.2
Changes implemented	Responsible function	Per implementation plan
Compliance verified	Country Compliance Officer	Before regulatory deadline
Staff trained on changes	Compliance + HR	Before regulatory deadline
Implementation documented	Compliance team	Within 5 business days of go-live

7. AML/KYC Programme Review¶

7.1 Annual Review Scope¶

Each market's AML/KYC programme is reviewed annually. The review covers:

Area	Review Questions
Risk assessment	Is the market-level risk assessment current? Have new risks emerged?
Policies and procedures	Are AML/KYC policies aligned with current regulations?
Customer due diligence	Are KYC/KYB files complete and current? Sample testing of files.
Enhanced due diligence	Are high-risk customers subject to appropriate EDD?
Transaction monitoring	Are monitoring rules effective? False positive rates acceptable?
STR filing	Are STRs filed on time and of sufficient quality?
Sanctions screening	Are screening lists current? Are hits investigated promptly?
Training	Have all staff completed required AML training?
Record keeping	Are records retained per policy and regulation?

7.2 Review Process¶

Step	Owner	Timeline
Review scope and plan prepared	Global Head Regulatory	January (for prior year)
Country-level reviews conducted	Country Compliance Officers + Global Head Regulatory	January–February
Findings documented	Global Head Regulatory	March
Remediation plan prepared	Country Compliance Officers	Within 14 days of findings
Report to ELT	Global Head Regulatory	March ELT meeting
Report to Board (Compliance & Regulatory Committee)	Global Head Regulatory	Q1 Board meeting
Remediation tracked to completion	Global Head Regulatory	Ongoing; monthly progress review

7.3 Key Metrics¶

Metric	Target
KYC/KYB file completeness rate	≥99%
Average KYC refresh time (for due accounts)	<14 days
STR filing within regulatory deadline	100%
Transaction monitoring false positive rate	<80% (i.e., at least 20% of alerts are genuine)
Sanctions screening coverage	100% of new merchants and beneficiaries
AML training completion	100% of required staff

8. Sanctions Screening¶

8.1 Screening Lists¶

Simpaisa screens against the following lists:

List	Source	Update Frequency
UN Security Council Consolidated List	UN	Real-time (automated feed)
OFAC SDN List	US Treasury	Real-time (automated feed)
EU Consolidated Sanctions List	EU	Daily
UK Sanctions List (OFSI)	HM Treasury	Daily
Pakistan NACTA list	NACTA	As published
Bangladesh list	BFIU	As published
Local lists per market	Relevant authority	As published

8.2 Screening Process¶

Trigger	Action	SLA
New merchant onboarding	Screen against all lists before activation	Must clear before merchant goes live
New beneficiary (pay-out)	Screen against all lists before payment	Real-time; payment blocked if match
Daily batch re-screening	All active merchants and beneficiaries screened against updated lists	Daily; completed by 06:00 GST
List update received	Delta screening of all active records against new entries	Within 4 hours of list update

8.3 Hit Investigation¶

Screening hit identified
    │
    ▼
Automated match scoring (fuzzy match threshold: 85%)
    │
    ├─ Score <85%: Auto-dismissed; logged
    │
    └─ Score ≥85%: Manual review required
        │
        ▼
    Compliance Analyst investigates (within 2 hours during business hours)
        │
        ├─ False positive → Document rationale; release transaction/merchant
        │
        └─ Confirmed or unable to rule out match
            │
            ▼
        Transaction blocked / merchant frozen
            │
            ▼
        Global Head Regulatory notified
            │
            ▼
        Report to relevant authority (per market requirements)
            │
            ▼
        Records retained; no tipping-off

8.4 Screening System¶

Automated screening is integrated into the merchant onboarding and transaction processing pipelines.
The screening engine is maintained by CDO Engineering.
List updates are automated via API feeds where available; manual upload for lists without API access.
Screening logs are retained for 7 years minimum.
Annual screening system effectiveness review conducted by the Global Head Regulatory.

Appendix: RACI¶

Activity	Compliance Team	Global Head Regulatory	Country Head	CFO	CDO	CEO
Regulatory reporting	R	A	C	I	I	I
STR filing	R	A	I	I	I	I
Audit preparation	R	A	C	C	C	I
Licence renewal	R	A	C	C	I	A
Compliance monitoring	R	A	I	I	I	I
Regulatory change management	R	A	C	C	C	I (high impact: A)
AML/KYC programme review	R	A	C	I	I	I
Sanctions screening (operations)	R	A	I	I	C	I
Sanctions screening (system)	I	A	I	I	R	I