Group Anti-Money Laundering and Counter Terrorist Financing (AML/CTF) Policy

1. Introduction

1.1 Policy Statement

As a company operating within the global digital financial services offering merchants payment aggregation services, pawa P Holdings Limited and its subsidiaries and affiliates (the Company’) is committed to complying with Anti Money Laundering and Counter Terrorist Financing (hereafter ‘AML and CTF’), laws and regulations. The Company is committed to taking a Risk Based Approach (RBA) to ensure the identification, assessment and understanding of  Money Laundering (ML), Terrorist Financing (TF) and other Financial Crime (FC) risks to the business.

1.2 Policy Objective

This Policy seeks to ensure that the Company abides by the laws, regulations, and guidelines developed by regulators, across all countries the Company operates in, to manage ML, TF and FC risks accordingly.

The Company recognises that the digital financial services nature of the business exposes the Company to heightened risks for ML, TF and FC related activities. In response to this awareness the Company has adopted a robust AML, CTF and Sanctions Program (‘the Compliance Program’) to ensure ML, TF and FC risks are inhibited in accordance with legal and regulatory standards.

The Company has zero tolerance for any activity that is in breach of this Policy. Any incidences of non-compliance to this Policy must be immediately reported to the policy owner. This Policy must be read in conjunction to the Associated Documentation.

1.3 Definitions

Please see Glossary of Terms in Appendix A of this Policy.

1.4 Legal and Regulatory Context

The Company has developed this Policy while considering the local and international AML/CFT laws and other applicable guiding principles. These include but are not limited to:  

  • FATF 40 Recommendations;
  • UK/EU AML Laws;
  • Jurisdictional AML laws in operating countries;
  • United Nations Terrorist Financing Convention; and,
  • Various resolutions of the United Nations Security Council (UNSC).

In addition, the Company is regulated by the respective Central Banks in all markets that it operates in and is also a reporting institution to the local Financial Intelligence Units (FIUs).

Please note that any subsequent legal updates to these laws, regulations and guidelines shall apply to this Policy.

2. Scope

This Policy applies to all day to day business activities conducted by the Company and its employees, affiliates, subsidiaries and/or outsourced service providers. This includes all legal entities owned or controlled by pawaPay companies, their respective subsidiaries, branches, representative offices, and lines of business.

This Policy and Associated Documentation noted in Section 13 of this Policy are available on the Compliance Confluence Page for the Company. The current version of this Policy will be stored on the Compliance  Confluence Page and Compliance Google Drive.

3. Effective Date

This Policy is effective from the date of approval by the Board of Directors (BOD) or Delegated Authority.

4. Roles and Responsibilities

The below statements outline high-level responsibilities in the Company in relation to this Policy.

4.1 Board of Directors

The Board of Directors (BOD) are responsible for:

  • ultimately being accountable for the implementation of the Compliance Program
  • delegated authority of the Compliance Program implementation to the executive team
  • promoting and encouraging a culture of compliance throughout the Company;
  • approving the Policy annually or in the event of regulatory updates and reviewing periodic compliance reports; and,
  • acting as an escalation path for decisions on high and extreme risks arising from the Compliance Program.

4.2 Executive Team  

The Executive Team led by the CEO is responsible for:

  • promoting and implementing a strong culture of AML and CTF compliance;
  • reviewing Compliance Reports concerning AML and CTF on a periodic basis;
  • holding line manager accountable for resolution of AML and CTF corrective actions;
  • reviewing, approving, and overseeing AML and CTF compliance initiatives;
  • ensuring that the Company has adequate AML and CTF resources; and
  • ensuring that AML and CTF compliance goals are included in the performance objectives of Senior Management and Employees.

4.3 Policy Owner

The Head of Risk and Compliance is the Policy Owner of this Policy, with the responsibilities including (but not limited to):

AML and CTF Risk Assessment Responsibilities:

  • assessing the quality of AML and CTF controls by conducting a AML and CTF Risk Assessment periodically or as often as required as per regulatory requirements, to determine residual risks and mitigate any risks identified;
  • reviewing any changes to AML related laws, regulations, guidance, or regulatory expectations and ensuring that the Company implements processes to remain fully in compliance with its AML obligations and regulatory expectations;
  • communicating new guidelines issued by regulators to the relevant parties within the Company, thereby ensuring compliance with the guidelines issued;
  • ensuring Enhanced Due Diligence (EDD) requirements are refreshed annually or as and when required by regulatory standards;  
  • updating the AML and CTF Risk Assessment regarding any issues raised during independent testing and taking necessary corrective action to remediate findings;  
  • maintaining effective communication with any local regulatory authorities (i.e. Local FIU, Central Banks).

Regulator and Management Reporting Responsibilities:

  • providing quarterly and/or yearly reports to the BOD on the operation and progress of the AML and CTF Program including Risk Assessment (seeking external and independent testing where deemed appropriate);
  • providing suggestions to the BOD for enhancements to the AML and CTF Program including the Company’s Risk Assessment to mitigate any levels of excessive risk or control weaknesses identified in the risk assessment, for review and approval;
  • reporting any ML and TF activity to the Financial Intelligence Unit (FIU); for example the identification of high risk users and any other factor posing unacceptable ML, TF and FC risks;
  • filing a Suspicious Transaction Report (STR) and/or Suspicious Activity Report (SAR) in the event the Company identifies potentially reportable suspicious activity as a result of conducting EDD. ALL STRs/SARs are subsequently reported by the Policy Owner to the Company BOD and the appointed nominated country compliance managers in local jurisdictions are responsible for reporting SAR/STR to the relevant local FIUs.

4.4 Country compliance managers

The country compliance managers act as the local Money Laundering Risk Officers (MLROs) and their responsibility include but not limited to:

  • Providing local compliance advisory, guidance and support for their initiatives including development, implementation and maintenance of robust policies, procedures and practices to address regulatory, and industry and requirements/concerns;
  • Monitoring regulatory and industry developments for any new, amended or upcoming laws/regulations/guidelines and identify any potential business impact to the business;
  • Maintaining a regulatory documentation database and ensuring compliance with all local regulatory requirements;
  • Compiling, prepare, review and submit regulatory submission to regulatory authorities including SARs reporting to FIUs; and,
  • Being primary liaison to the regulatory authorities in the local market.

4.5 Line Managers

Company Line Managers are responsible for:

  • establishing and maintaining an effective compliance culture set by executives within their management areas;
  • ensuring that AML/CFT processes are part of operational processes and are adhered to;
  • ensuring that their staff understand the AML/CFT Policy and apply it appropriately in their day-to-day operations;
  • identifying compliance weaknesses through monitoring activities in their areas, and promptly alerting and working with the Policy Owner​ to take corrective action;
  • ensuring that their Employees receive and complete appropriate AML and CTF Training Programme for processes within their spheres of responsibility;
  • providing the Policy Owner with advance notice of all new products or changes to existing products that might affect AML and CTF risks.

4.6 Employees

All Company Employees are responsible for:

  • reporting promptly to the Policy Owner, any unusual activity or transaction incidents that they come across in day to day work;
  • not tipping off any merchant or any person that a suspicious transaction report has been made or they are under investigation;
  • ensuring they have read, understood and attested this Policy at minimum on an annual basis; and,
  • timely and successful completion of the annual Compliance training.

5. AML and CTF Risk Based Approach

The Company as per regulatory requirements has established a Risk Based Approach (RBA) in our AML, CTF and Sanctions Program (hereafter ‘Compliance Program.’)

As per FATF recommendations an RBA means the Company seeks to identify, assess, and understand the money laundering and terrorist financing risk to which it is  exposed, and take the appropriate mitigation measures commensurate to the level of risk identified. This is applied when operationalising the requirements of this Policy with risk assessments, risk appetite and tolerance levels determined.

5.1 Financial Crime Risk Assessment (FCRA)

In relation to a RBA for AML and CTF Risks the Company conducts a Financial Crime Risk Assessment (FCRA).

The purpose of the Financial Crime Risk Assessment (FCRA) is to better understand the Company’s Financial Crime (FC) risks in order to inform the efficient allocation of resources and mitigation of those risks identified to protect the Company from being exploited by criminals. It must include AML and CTF risk factors and be conducted for each Country of operation which will provide an overall global view.

The FCRA is to be conducted at least annually, or more frequently in the event of material changes to the Company’s risk profile.

The outcomes of this assessment will identify the inherent risk exposure given the size, scale and nature of the Company, the controls in place to mitigate the inherent risk and the residual risk exposure. The outcome will drive improvements in how the Company manages risk.

This FCRA is conducted as per the following:

  • Head of Risk and Compliance or Delegated Authority assesses the quality of controls to mitigate that risk and thereby determines the residual risk;
  • Head of Risk and Compliance or Delegated Authority evaluates the adequacy and application of AML, CTF resources;
  • If necessary, Head of Risk and Compliance or Delegated Authority recommends and implements modifications to the Company’s Policies, Associated Documentation (or the underlying procedures and processes) to bring the Company’s AML, CFT and Sanctions risk to an acceptable level.

The Head of Risk and Compliance or Delegated Authority reports results to the BOD or Delegated Authority on an annual basis, this is inclusive of proposed enhancements to the Programme to mitigate any levels of excessive AML and CT risks or control weaknesses identified in the AML and CTF Risk Assessment.

5.2 Risk Appetite

The Company is required to ensure there is a Risk Appetite in place to state the expression of the type and amount of risk the company is prepared to take in relation to AML and CTF. Through a Risk Appetite the Company promotes consistent, 'risk-informed' decision-making aligned with strategic aims and it also supports robust corporate governance by setting clear risk-taking boundaries.

The Company is committed to complying with regulatory requirements and we have zero tolerance for our products and services being knowingly used for AML/CFT/Sanction activities.

In addition, the Company has no appetite for the following prohibited business/activities (including but not limited to):

  • sanctioned entities
  • unlicensed gambling;
  • drugs dealing;
  • pyramid selling;
  • defence arms;
  • escort services;
  • online pharmacies;
  • shell companies;
  • counterfeits/pirated goods;
  • unregistered charities;
  • telemarketing;
  • regulated entities with inadequate compliance controls such as lack of applicable licences;
  • and any other activities damaging to brand or reputation.

6. Internal Controls

The Company has developed the following internal processes, to mitigate the risk of AML/CFT:

  • Customer Due Diligence;
  • Transaction Monitoring;
  • Suspicious Transaction Report (STR) or Suspicious Activity Report (SAR) Filing;
  • PEPs;
  • Screening (Sanctions, Adverse media);
  • Record Keeping (as per Section 10 of this Policy);
  • Training;
  • Breaches, waivers and exceptions; and,
  • Risk Based Approach (as per Section 5 of this Policy).

6.1 Customer Due Diligence

Customer Due Diligence (CDD) comprises the collection of documents and information about a merchant that enable the Company to assess the extent of risk a relationship with that merchant represents. This includes ML, TF and FC related risks. Collecting additional information about the merchant's Source of Wealth/Funds (SOW/F), PEP status, country of residence and detailed business activities/operation, or other key details as dictated by the the risk rating assigned the merchant in question, shall help the Company establish the level of risk the merchant has to the Company.

6.1.1. Standard Due Diligence (SDD)

Our standard CDD process starts with collecting company and directors/UBO information such as Company name, Registration country, Registration date, Registration number, Legal address, website, email, business activity, director/UBOs’ KYC data and attachments of the Company and Director’/UBO KYC and shareholding structure documents.

6.1.2. Enhanced Due Diligence (EDD)

The EDD process applies to higher risk merchants. It entails a more in-depth due diligence including requesting for additional information, documentation and clarifications to ascertain whether the merchant, their business and potential activities fall within the Company’s risk appetite. In addition to the standard CDD/KYC requirements, the following shall be required for high-risk customers:

  • Duly completed AML/CFT and other related questionnaires (in the case of Financial Institutions;.
  • Executive Team’s approval (in the case of PEPs)

6.1.3 Customer Risk Rating (CRR)

The CRR allows the Company to measure the FC risks a merchant has in relation to the Company business activities. It will determine whether the merchant requires further EDD and/or whether further measures are needed to monitor that merchant in parity to the Compliance Program.

The ongoing KYC review on existing merchants will be on a risk-based approach. The KYC refresh shall be conducted as follows:

  • High Risk merchant – to be reviewed every 1 year after onboarding
  • Medium Risk merchant – to be reviewed every 2 years after onboarding
  • Low Risk merchant – to be reviewed every 3 years after onboarding

Where there is a change in the merchant’s business/segment, the merchant would be required to provide further information to enable us carry out further risk assessment and ascertain if the risk rating has changed. Other conditions that may trigger a reassessment are as follows:

  • Multiple filed suspicious transaction reports;
  • Established fraud case;
  • Negative media or public domain report;
  • Regulatory investigation; and,
  • Venturing into high-risk business, product, or geographical location.

Please refer to the KYC/CDD procedure for further information

6.2 Ongoing Monitoring

The ongoing monitoring of customers and transactions helps to identify suspicious activities and enable the Company to take further action to prevent recurrence of such activities. The Company has deployed systems to monitor all activities on an ongoing basis to ensure that:

  • Transactions being conducted are consistent with the Company’s knowledge of the merchant, and
  • All relevant information has been considered to assess whether the merchant has conducted transactions which could be related to ML, TF or other FC risks.

The Company applies the Joint Money Laundering Steering Group (JMLSG) guidance for Transaction Monitoring globally. The minimum requirements the Company sets globally for the Transaction Monitoring (TM) as per this Guidance is:

  • flags up transactions and/or activities for further examinations;
  • these are generated into monthly reports;
  • these reports are reviewed prompt by Management; and
  • appropriate action is taken on the findings of further examination.

As part of the TM, the Company is responsible for ensuring that:

  • it will not enter into a new relationship or continue a relationship with a merchant that is in breach of our Risk Appetite in Section 5.2;  
  • it does not process any payments and/or transactions that are in breach of applicable laws and regulations regarding ML, CT and other FC activities;
  • no business is undertaken with any Users residing in; registered or operating in; or where beneficial owners or controllers are residing or located in countries that are ‘Prohibited/Sanctioned.’

6.2.1 Transaction Monitoring Thresholds

The Policy Owner sets Transaction Monitoring Thresholds (TMTs). They shall:

  • vary TMTs according to merchant information collected in the KYC process
  • review the sufficiency and calibration of the thresholds no less than annually and make changes as needed in response to emerging patterns of activity.
  • document and retain the rationale for all changes in thresholds.

In addition the Company shall carry out the process of monitoring merchants’ activities. The checks include but are not limited to the following.

  • Website checks;
  • Licence validity monitoring;
  • Sanctions and adverse media check.

Please refer to the Group TM procedure for further information.

6.3 Watchlist Screening

The Company performs screening on all merchants, directors and Ultimate Beneficial Owners (UBOs) at onboarding and on an ongoing basis. The Company uses automated screening systems and databases such as Refinitiv’s World Check to screen for sanctions, PEPs and adverse media against hundreds of datasets and watchlists including UK, EU, US, UN lists. In addition, we have an internal watchlist we maintain to check against as we onboard and/or monitor merchants.

6.3.1. PEPs

The Company across all its business activities defines PEP as per the Financial Action Task Force (FATF) definition of a PEP, that being an individual who is or has been entrusted with a prominent public function. Due to their position and influence, it is recognised that many PEPs are in positions that potentially can be abused for the purpose of committing ML, TF and other FC offences. These risks also extend to being potentially committed by family members or close associates to PEPs.

Examples of PEPs are:

  • Heads of State or Government;
  • Local Government Chairpersons;
  • Senior politicians;
  • Senior government officials;
  • Judicial or military officials;
  • Senior executives of state-owned corporations;
  • Important political party officials;
  • Family members or close associates of PEPs; and,
  • Members of royal families.

All relationships where a PEP is the beneficial owner, are classified as a PEP and we carry out EDD measures before the merchant is onboarded.

The Company is to manage risks associated with PEPs accordingly. This can be demonstrated by the following:

  • all PEPs will be treated with a CRR of High Risk;
  • there shall be a PEP Register that will record of all PEPs identified at the Company;
  • a rationale must be provided for any commencement, continuation, termination, downgrade and discounting of PEP relationships;
  • any PEPs identified require approval from the Country and/or Group Management
  • final approval would be required in the event the Management determines that the PEP is not posing a ML, TF or FC risk

Please refer to Group Watchlist/PEP Screening Procedure for further details.

6.4 Suspicious Transaction/Activity Reporting (ST/AR)

The Company is required to file a Suspicious Activity Report (SAR) and/or Suspicious Transaction Report (STR) with relevant details to the local Financial Intelligence Units (FIUs) authorities in a timely manner (varies by Country in which the SAR/STR is investigated and determined that filing is required) and keep ST/ARs according to local Country requirements.

The Policy Owner  (and in exceptional circumstances the Employee making an internal SAR) will consider the ‘privileged circumstances’ exemption when making a ST/AR. As these matters can be complex, the Policy Owner will also consider if professional legal advice is required before making this decision.

6.4.1. Employee Reporting

The Policy Owner shall ensure that all Employees receive training (including the prohibition against “tipping-off”) on how to  escalate potential suspicious activity. All Company Employees must report SARs/STRs to the Head of Risk and Compliance. This includes examples (but is not limited to) such as:

  • merchants that seek assistance of employees to launder money or commit other illegal and/or questionable activity under AML and CFT regulations;
  • transactions with no apparent legitimate business purpose;
  • transactions reviewed for fraud purposes that also may be reportable under legal and regulatory requirements;
  • criminal violations involving insider abuse in any amount;
  • criminal violations when a suspect can be identified;
  • criminal violations regardless of a potential suspect;
  • transactions conducted or attempted by, at, or through the Company where employees knows, suspects, or has reason to suspect that the transaction:
    • may involve potential money laundering or other illegal activity (e.g., terrorism financing);
    • is designed to evade requirements as per the AML laws;
    • has no business or apparent lawful purpose or is not the type of transaction that the particular merchant would normally be expected to engage in, and the Company knows of no reasonable explanation for the transaction after examining the available facts, including the background and possible purpose of the transaction.

Please note that to reduce risk of disclosure (‘Tipping Off’), the Company restricts internal access to SAR/STR filings, documentation and other SAR/STR-related information to the Compliance and Executive teams.

6.4.2 MLRO Reporting  

All SAR/STRs are subsequently reported by the LMLRO in the Country in which the SAR has been raised. Once a SAR/STR is filed the Company will support the FIU’s investigative process by promptly responding to any requests for clarification or additional information.

The SAR/STRs are maintained at minimum for 5 years (or as per local Country requirements in which the Company is operating) and as long as an investigation is ongoing with the FIU or as long as regulatory requirements shall need the records to be maintained. Upon decision to file, the Policy Owner will evaluate whether to close the relationship and make recommendations to Management.

For any SARs/STRs investigations not reported to the FIU, records of the investigation which has resulted in no suspicion being found are recorded internally.

7. External Controls

7.1 Independent Testing

The independent review assesses the implementation, adequacy and effectiveness of the Program and the adequacy of controls to mitigate AML and CTF related risks. The Policy Owner is responsible for updating the Company’s AML and CTF Risk Assessments in regards to any issues raised during independent testing and taking necessary corrective action to remediate findings.  

The Company will use internal and/or external audits to periodically review and test the effectiveness of the Compliance Program. This shall be done on an annual basis and/or as regulations require in the local jurisdictions.

8. Reporting

The Policy Owner will also ensure that the Company provides timely AML and CTF reporting. All Company Compliance Reports in relation to AML and CTF can contain the following information (as applicable per the reporting requirements at the time of reporting):

  • AML and CTF compliance trends, including reporting on SAR/STR volumes and notable patterns in SAR/STR activity;
  • AML quality assurance/testing results;
  • material AML compliance issues and/or escalated issues;
  • status of AML corrective actions;
  • examination and audit findings and/or regulatory concerns;
  • emerging AML compliance issues which the Company will need to address; and,
  • suggested enhancements to AML and CTF documentation, including this Policy.

8.1 Regulatory Reporting

The Company is required to report all SARs/STRs to the FIU. This will be to the FIU of the Country where the SAR/STR has occurred and has been reported. These will be based on the local Country requirements as per the SAR/STR filed.

In addition, the Company will report to the regulatory authorities as per the local applicable laws and regulations including the Central Banks’ reporting obligations relating to our local Compliance Program such as monthly PEPs reports, monthly SARs reports statistics, etc.

8.2 Management Reporting

To ensure effective executive team and BOD oversight of the requirements noted in this Policy the Policy Owner and or Delegated Authority reports periodically to the BOD Key Performance Indicators (KPIs) on the following information:

  • User Onboarding/Offboarding Metrics;
  • Transaction Monitoring/SARs;
  • Watchlists - PEPs, Sanctions;
  • Compliance Training;
  • Common Typologies.

9. Training and Awareness

The Company will ensure that staff are aware of their compliance obligations and personal responsibilities in preventing Money Laundering and Terrorist Financing. Training will be given to enable staff to recognize transactions that are unusual or suspicious against a customer’s profile. The training will also address terrorist funding and terrorist activities to ensure that staff can identify customer transactions or activity(ies) that might be related to terrorism.  

The Company requires all new employees at onboarding to complete the standard compliance training. In addition, all employees to receive AML and CTF training appropriate to their roles and responsibilities, at minimum annually by implementation of the Company AML and CTF Training Programme which:  

  • ensures the employees are familiar with relevant AML requirements (note training shall pertain to their specific job functions to the extent practicable) and that they receive the most current information available;
  • creates a culture in which relevant employees are always alert to the risks of ML TF and habitually adopt a risk-based approach in the work they undertake.

The training is mandatory for all employees and the BOD. It will be conducted through the elearning modules on our Learning Management System (LMS) and this is conducted once a year and there is a pass mark and a certificate issued for successful completion.

10. Record Keeping

Record keeping is an important part of the Compliance Program. It involves policies and practices for creating, organising, and managing information. The company is required to ensure that the minimum requirements for records keeping set by regulatory bodies are always met. pawaPay is required to maintain records of merchant identity and transactions in line with the business operations in line with regulations.

Records must be kept if the relationship continues with the customer and inline with the applicable retention period of the local laws and regulations.  

The components of records of transactions to be maintained by the Company include but not limited to:

  • Records of customers and beneficiaries names, addresses or other identifying information normally recorded by the intermediary.
  • Nature and date of the transaction
  • Type and amount of currency involved; and
  • Type and identification number of any account involved in the transaction.

The Company will maintain a full record audit trail of all records as per all the requirements noted in this Policy and Associated Documentation for a minimum of 5 years (or as required in local laws). That is including (but not limited to) all records of:

  • merchants and relevant parties and transactions, including what data was screened;
  • any merchants closures or severance in relation to a merchant;
  • any investigations as per legal and regulatory requirements ongoing for a merchant;
  • any Compliance Reports;
  • any SARs/STRs and the original or business record equivalent of any supporting documentation;
  • any AML and CTF Risk Assessments;
  • any other data in relation to all aspects of this Policy and Associated Documentation.

Upon request by a regulatory or law enforcement agency, the Company shall make available records related to its merchant as soon as possible from the date of the request.

11. Data Protection

The Company will ensure merchant data is protected as per local Data Protection Regulations. In addition, the Company has Privacy Policy to address data protection measures for the merchants.

12. Non-Compliance

12.1 Breaches

The Company recognizes that non-compliance to this Policy and Associated Documentation can expose the Company to substantial risk and civil or criminal penalties.

Non-compliance or noted breaches with the Policy requirements by Employees may result in:

  • disciplinary action, up to and including termination in appropriate cases; and/or
  • individual civil and/or criminal penalties as per legal and regulatory requirements.

12.2 Exemptions or Waivers

Any proposed Exemptions or Waivers to this Policy  should be directed to the Policy Owner or Delegated Authority for review and advice on potential risks arising from the Exemption or Waiver. The Company will not approve any Exemption or Waiver that causes a breach of law or regulation or is outside of Company's risk appetite .

Any conflicts between this Policy and the Company’s other legal obligations should be submitted immediately to the Policy Owner for further evaluation. Questions or suggestions about this Policy should be forwarded to the Policy Owner through  compliance@pawapay.io

13. Associated Documentation

  • Customer Due Diligence Procedures
  • Transaction Monitoring Procedures
  • Watchlist Sanctions & PEP Procedures

14. Review and Approval

The Policy is reviewed and approved at least annually or as need be by the BOD. Any of the following changes to this Policy must be approved by the BOD:

  • a notable change to AML, CTF or FC legal and regulatory requirements and/or industry guidance;
  • where new or emerging sanctions with material impact on the business become evident; or
  • a significant development in business activity.

15. Appendices

Appendix A: Glossary of Terms

Term
Definition of Term
Adverse Media
Adverse media, or negative news, is unfavourable news or information that can be found in multiple reference sources.
Affiliates
An officially attached or connected party to the Company.
Anti-Money Laundering
This refers to the activities financial institutions perform to achieve compliance with legal requirements to actively monitor for and report suspicious activities.
Beneficial Owners or Controllers
This refers to any natural person who ultimately owns or controls the corporation or has ultimate effective control over the corporation.
Breaches
This occurs when there is a failure to comply with the laws and regulations and requirements noted in this Policy.
Customer Due Diligence
This refers to the act of collecting identifying information in order to verify a customer's identity and more accurately assess the level of criminal risk they present.
Customer Risk Rating
The Customer  Risk Rating (CRR) allows the Company to measure the FC risks a User has in relation to the Company business activities. It will determine whether the User requires further EDD and/or whether further measures are needed to monitor that User in parity to the AML,CTF and Sanctions Program.
Company
This refers to the Group Company, pawa P Holdings Limited and all related entities subject to this Policy.
Compliance Program
This refers to the AML/CFT and Sanctions program.
Compliance Reports
These are reports sent to the management on a periodic basis
Delegated Authority
This is the Employee who has been appropriately delegated authority to a particular task or set of tasks.
Employees
Any individual hired by the Company, this includes contractors and third-party agency workers.
Enhanced Due Diligence
The process of investigating a higher-risk customer more thoroughly than you would others. It is most easily explained via comparison to standard customer due diligence (CDD).
Exemptions
This is a process that allows for an escalation to be excepted as investigation has revealed this has not breached compliance law or regulation or this Policy.
Financial Action Task Force (FATF)
The Financial Action Task Force, also known by its French name, Groupe d'action financière, is an intergovernmental organisation founded in 1989 on the initiative of the G7 to develop policies to combat money laundering. In 2001, its mandate was expanded to include terrorism financing.
Financial Crime
Financial crime is crime committed against property, involving the unlawful conversion of the ownership of property to one's own personal use and benefit.
FIU
An FIU is an investigative unit established by individual countries to centralize the gathering of suspicious activity reports related to criminal financial activity, including money laundering and terrorism
MLRO
A Money Laundering Risk Officer is responsible for ensuring that, when appropriate, the information or other matter leading to knowledge or suspicion, or reasonable grounds for knowledge or suspicion of money laundering is properly disclosed to the relevant authority.
Money Laundering
Money laundering is the process of concealing the origin of money, often obtained from illicit activities such as drug trafficking, corruption, embezzlement or gambling, by converting it into a legitimate source. It is a crime in many jurisdictions with varying definitions.
Policy
A statement of intent by Company on the implementation of regulatory and/or business requirements.
Politically Exposed Persons
In financial regulation, a politically exposed person is one who has been entrusted with a prominent public function. A PEP generally presents a higher risk for potential involvement in bribery and corruption by virtue of their position and the influence that they may hold.
Risk Appetite Statement
Risk appetite is an expression of the type and amount of risk the company is prepared to take. It promotes consistent, 'risk- informed' decision-making aligned with strategic aims and it also supports robust corporate governance by setting clear risk- taking boundaries
Sanctions
These are penalties imposed on individuals or institutions that do not comply with laws or rules, governments or global organisations generally apply a sanction decision to other state or individuals.
Sanctions Screening
Sanctions screening involves screening individuals, groups or companies against designated sanction lists according to the territories in which an organisation trades, the currencies they trade in, and their partnerships and alliances.
Source of Funds (SOF)
The ‘Source of Funds’ (SOF) is used to describe the source of the currency or financial instruments deposited by the User, which includes the amount to be transferred to the Company Wallet for investment or payment purposes at onboarding.
Source of Wealth (SOW)
The ‘Source of Wealth’ (‘SOW’)  is used to describe how a User and/or their Associated Parties have accumulated their wealth.
Transaction Monitoring
Transaction Monitoring (TM) is “the process of monitoring transactions after their execution in order to identify individual unusual transactions, including monitoring single transactions as well as transaction flows”.
Line Manager
These are staff incharge of units/departments/markets in the organisation.
Waivers
These are incidents whereby an individual or business does not have to comply with a rule or statement as decided by the Company BOD.
Products
Product OverviewPaymentsManagementTreasury
Developers
Getting Started GuideAPI DocsAPI Reference
Resources
Platform StatusDashboard DocsBlogCommunity DiscordMedia & Branding
pawaPay
PlansPricing
Careers
We're hiring!
Payment providers
Get in touch
Contact SalesGeneral Inquiries
LinkedIn icon in white.
© 2025 pawaPay UK Limited.
pawaPay UK Limited. C/O Freeths LLP, Routeco Office Park
Davy Avenue, Knowlhill, Milton Keynes, England, MK5 8HJ
Terms of useMerchant Terms of servicePrivacy policyCookie policy