Welcome to Cashat

AML/CFT Policy

Cashat AML/CFT/CPF Compliance Policy

Introduction and Purpose

Cashat is committed to maintaining the highest standards of Anti-Money Laundering (AML), Countering the Financing of Terrorism (CFT), and Countering the Proliferation of Weapons of Mass Destruction (CPF) compliance across all its digital financial services in Africa and globally. This policy outlines Cashat’s framework to prevent the misuse of its platform for illicit activities and to comply with international best practices (such as the Financial Action Task Force’s Recommendations) and applicable African regulations, including Nigeria’s Central Bank of Nigeria (CBN) guidelines and the Nigeria Data Protection Act 2023 (NDPA). The policy establishes a risk-based approach in line with FATF expectations that AML/CFT/CPF controls be “implemented through a proportionate and risk-based approach”. It also aligns with evolving regional standards – for example, Nigeria’s strengthened AML/CFT regime which emphasizes advanced transaction monitoring, expanded due diligence obligations, robust reporting/record-keeping, and staff training. This document provides a structured blueprint for governance, procedures, and controls to be implemented across Cashat’s services and partner integrations, ensuring financial crime risks are mitigated and regulatory compliance is maintained.

Governance and Oversight Structure

Board and Senior Management Oversight: Cashat’s Board of Directors holds ultimate responsibility for the AML/CFT/CPF program. The Board approves this policy and ensures that senior management allocates sufficient resources to compliance. Senior management is accountable for implementing the policy, fostering a strong compliance culture (“tone at the top”), and routinely reporting compliance status and issues to the Board.

Compliance Department and MLRO: Cashat maintains an independent Compliance Department led by a designated Chief Compliance Officer or Money Laundering Reporting Officer (MLRO) with a direct reporting line to senior management. Per global standards, financial institutions “must appoint a designated AML officer responsible for ensuring compliance”. The MLRO oversees day-to-day AML/CFT/CPF efforts, including managing the risk assessment process, reviewing high-risk cases, and serving as the liaison to regulators and the Financial Intelligence Unit (FIU) for suspicious activity reporting. The Compliance Officer has the authority, seniority, and resources necessary to effectively carry out these functions.

Internal Controls and Committee Oversight: Cashat develops internal policies, procedures, and controls to implement this program. A Compliance or Risk Committee (comprising executives from Compliance, Risk, Operations, Product, and Engineering) convenes regularly to review AML/CFT metrics, significant cases, and emerging risks. Proper governance and clear reporting lines ensure accountability – strong internal controls and a well-trained workforce are essential to identify and mitigate risks, with clear reporting lines keeping the institution accountable. The committee escalates material issues to senior management and the Board and ensures that any deficiencies are remediated promptly.

Independence and Audit: The compliance function operates independently of business lines to avoid conflicts of interest. Cashat’s Internal Audit (or an external independent reviewer) conducts periodic audits of the AML/CFT/CPF program to test the effectiveness of controls and adherence to this policy. Findings are reported to the Board and senior management. The audit trail and oversight structure enable Cashat to adjust its program as needed and ensure regulatory expectations are met.

Risk-Based Approach to AML/CFT/CPF

Cashat employs a Risk-Based Approach (RBA) to prioritize resources and controls where the risks of money laundering, terrorist financing, or proliferation financing are highest. FATF guidance reinforces that AML/CFT/CPF measures should be “implemented through a risk-based approach”, allowing for proportionate controls – simplified measures for low-risk scenarios and enhanced measures for higher-risk situations. In practice, Cashat conducts an enterprise-wide AML risk assessment at least annually (and upon launching new products or entering new markets). This assessment evaluates risk factors including customer profiles, transaction types, delivery channels (e.g. mobile app, agent network), geographies of operation, and partner relationships.

Customer Risk Assessment: Each customer is risk-rated at onboarding and periodically re-assessed. Factors such as the customer’s country of residence or operation, occupation/industry, transaction behavior, and whether the customer is a Politically Exposed Person (PEP) are considered. Higher-risk customers – for example, PEPs, high-net-worth individuals with complex ownership structures, non-resident customers, or those from high-risk jurisdictions – are subject to Enhanced Due Diligence (EDD) measures (see CDD section below). Lower-risk customers (e.g. low-income users using limited services) may qualify for simplified due diligence in line with local regulations, provided a risk assessment justifies lower risk and regulatory approval is obtained for any simplified KYC tier. (For instance, in Nigeria Cashat complies with the CBN’s Tiered KYC framework, which allows minimal information accounts with capped transactions for financial inclusion.)

Product/Service & Channel Risk: Cashat evaluates the risk associated with each product and channel. Services like cross-border remittances and large-value merchant payments are inherently higher risk for illicit finance (due to potential cross-border movement of funds and higher volumes) and therefore attract stronger controls (e.g. stricter identity verification, closer monitoring of patterns). Peer-to-peer (P2P) transfers and wallet funding via regulated banking channels might be lower risk but are still monitored for structuring or unusual patterns. New products or features undergo a compliance risk review prior to launch to ensure adequate controls are designed from the start.

Geographic Risk: Transactions or customers linked to jurisdictions with high corruption, sanctions, terrorism, or proliferation risks (including countries on FATF’s high-risk list or under UN sanctions) are treated as high risk. Enhanced measures (EDD, senior management approval, or even restrictions) apply to such cases. Conversely, transactions confined to low-risk domestic markets or regions with strong AML regimes can be treated with standard controls.

By adopting this RBA, Cashat ensures that resources are focused where they matter most. This approach aligns with best practices: concentrating on higher-risk customers or activities (e.g. PEPs, complex corporate structures, large or unusual transactions) while applying simpler controls for lower-risk scenarios to encourage financial inclusion. All risk assessments and the rationale for risk ratings are documented and updated regularly. The RBA is dynamic – if a customer’s risk profile changes or new risks emerge, Cashat adjusts its controls accordingly.

Customer Due Diligence (CDD) and KYC

Cashat performs thorough Customer Due Diligence (CDD) on all users to verify their identity and assess risk, in compliance with FATF Recommendation 10 and local KYC regulations. No account or wallet is activated until the minimum KYC information has been obtained and verified. Key elements of Cashat’s CDD/KYC program include:

  • Customer Identification and Verification: Individuals must provide identifying information (such as full name, date of birth, address, phone number, and government-issued identification number or passport). Documents are verified for authenticity through reliable independent sources or tools (e.g. document verification services or government databases). For corporate or business accounts (e.g. merchant partners), Know Your Business (KYB) procedures are followed: collecting registration documents, business address, nature of business, and identifying the ultimate beneficial owners (UBOs) who own or control the entity. In line with regulatory standards, CDD measures include “identification and verification of identity of beneficial owners,” understanding the purpose and intended nature of the business relationship, and understanding the source of funds for each customer. Cashat will not establish or maintain anonymous or fictitious accounts.
  • Risk Profiling and Acceptance: During onboarding, each customer’s information is assessed to assign a risk rating (as described in the RBA section). If a prospective customer is identified as prohibited (e.g. appearing on sanctions lists or known to be involved in financial crime) or if adequate KYC information cannot be obtained, the relationship is declined. In all cases, customers are checked against sanctions and PEP lists at onboarding (see Sanctions section). Cashat also verifies that customers are not using false identities or acting on behalf of undisclosed third parties. If an individual is acting on behalf of someone else (e.g. a guardian or corporate representative), we verify the authority and identity of both the agent and the underlying person.
  • Enhanced Due Diligence (EDD) for High-Risk Customers: For customers rated as higher risk, Cashat applies additional diligence measures in line with regulatory expectations. This may include obtaining information on source of wealth and source of funds for the customer’s transactions, requiring extra identification documents or reference letters, and more frequent review of the account. For example, if a customer is a PEP or from a high-risk country, EDD will be conducted such as deeper background checks and closer monitoring of transactions. As required by Nigeria’s laws, Cashat conducts enhanced due diligence on high-risk customers and those from countries identified by FATF for increased monitoring. EDD cases may also require senior management approval to onboard or continue the relationship. The enhanced measures applied and the decision rationale are documented in the customer’s file.
  • Ongoing Due Diligence: CDD is not a one-time event. Cashat updates KYC information periodically based on risk (at least annually for high-risk customers, and every 2-3 years for standard risk, or as required by local law). Trigger events also prompt KYC refresh – such as when a customer performs an unusual transaction, when there is a material change in the customer’s profile, or if derogatory information arises. Nigerian regulations specifically require FIs to conduct due diligence on existing customers at appropriate times, for example when a significant transaction occurs or the customer’s information changes. Cashat monitors for such triggers and will request updated information or documentation from customers when necessary. If a customer fails to respond to KYC update requests or if their risk becomes unacceptable (e.g. they are found to be involved in illicit activity), the account may be restricted or closed after appropriate review.
  • Simplified Due Diligence: For certain low-risk customers or low-value accounts, and where permitted by law, Cashat may apply simplified CDD measures. This could include collecting a reduced set of information for basic wallet accounts with low transaction limits (for instance, just a name, phone number, and a government ID for a low-tier account). Simplified measures are only allowed in jurisdictions that have tiered KYC provisions (such as Nigeria’s tiered KYC for mobile wallets) and never in situations where there is suspicion of money laundering, terrorist financing or proliferation financing. Even under simplified KYC, basic identity verification and ongoing transaction monitoring still apply, and any indication of higher risk will prompt full KYC/EDD.

All CDD information gathered is kept confidential and stored securely, in line with data protection requirements. Cashat recognizes its responsibilities as a data controller under laws like Nigeria’s NDPA; we ensure that personal data is collected and processed in line with data protection principles and only used for legitimate purposes (such as compliance with AML laws). Customer information and documents are retained for the legally required period (see Record Keeping section) and are protected against unauthorized access or breaches.

Transaction Monitoring and Suspicious Activity Detection

Cashat employs robust transaction monitoring systems to detect potentially suspicious activities across all its products (remittances, P2P transfers, merchant payments, etc.). Our monitoring approach combines rule-based algorithms, behavioral analytics, and manual review to identify red flags indicative of money laundering, fraud, terrorist financing, or other financial crimes. In line with industry trends, Cashat leverages technology (including machine learning where feasible) to enhance detection capabilities – as seen in Nigeria’s recent push for “advanced transaction monitoring systems and artificial intelligence to detect suspicious activities in real time”. Key features of our transaction monitoring include:

  • Automated Rules and Scenarios: We configure alerts for patterns such as large transactions, unusual frequency or volume, rapid movement of funds between accounts, round-number transfers, and transactions to/from high-risk jurisdictions. The rules are calibrated to Cashat’s risk appetite and regulatory thresholds. For example, an alert may trigger if an individual conducts multiple transfers just under reporting thresholds (possible structuring), or if a dormant account suddenly receives a high-value deposit. Cross-border transactions are screened to ensure they include required originator and beneficiary information per FATF standards (travel rule) and comply with foreign exchange regulations.
  • Real-Time Screening: Certain transactions (especially those involving external destinations or high-risk counterparties) are subjected to real-time checks. For instance, before processing a cross-border remittance, the system will screen the beneficiary name against sanctions lists again and check if the amount is anomalous for that customer. If an immediate red flag appears, the transaction may be paused for review.
  • Behavioral Analytics: The system learns typical transaction behavior for each customer segment and flags anomalies. For example, if a normally low-activity wallet suddenly engages in rapid large payments, or if a customer’s spending pattern shifts to categories unrelated to their profile, these events will be flagged. Similarly, multiple users sending funds to the same account or clustering of activity that might indicate smurfing or mule networks are detected via pattern analysis.
  • Manual Review and Investigation: Alerts generated by the system are reviewed by the Compliance Operations team. Each alert is analyzed in context – reviewers may look at the customer’s profile, past transactions, and any available communications. The team documents the investigation outcome for each alert. Many alerts are explainable (false positives), but if an alert cannot be reasonably explained or risk remains, it is escalated as a potential suspicious matter.
  • Case Management: Cashat maintains an audit-trailed case management system for monitoring alerts and investigations. This ensures that any suspicious activity is tracked from detection through resolution, and that decisions (whether to file a report or not) are recorded along with supporting evidence. Patterns of false positives are analyzed to refine rules for efficiency. Conversely, any new schemes or typologies identified (e.g., new fraud patterns or laundering techniques) lead to updates in monitoring rules.

Transaction monitoring covers all transaction types on the platform: deposits, withdrawals, transfers, payments, currency exchanges, etc. Specialized scenarios are in place for specific services (detailed in the section on specific services below). The monitoring program is regularly reviewed and tuned based on emerging risks and regulatory feedback. By combining automated tools with expert analysis, Cashat aims to detect and deter illicit activities proactively, minimizing the risk that our platform could be abused for money laundering or terrorist/proliferation financing.

Record-Keeping and Audit Trail

Accurate record-keeping is a fundamental component of Cashat’s AML/CFT/CPF controls. We maintain detailed records as evidence of compliance and to assist in any audits or investigations. Financial institutions are generally required to maintain transaction and customer records for a minimum of five years, and Cashat adheres to this standard (or longer if mandated by specific jurisdictions). Our record-keeping practices include:

  • Customer Identification Records: All information obtained through KYC/CDD – including identification documents, verification references, address proof, source of funds information, and risk assessment results – are securely stored. These records are retained for at least 5 years after the end of the customer relationship or after an account is closed (whichever is longer), in line with legal requirements. In some countries, longer retention may be required; we comply with all local record retention laws.
  • Transaction Records: For every transaction conducted via Cashat, we retain the details necessary to reconstruct the transaction. This includes date/time, amount, currency, sending and receiving parties’ details (names/account IDs), and any payment instructions or messages. Cross-border transaction records include information on the originator and beneficiary as required by wire transfer rules. These records are kept for at least 5 years from the date of the transaction. They are indexed and searchable, allowing for quick retrieval if needed by compliance investigations or regulators.
  • Monitoring and Investigation Logs: All alerts, investigations, and decisions in the transaction monitoring process are logged in our case management system. We maintain these investigative files (including any supporting documentation and rationale for whether or not a Suspicious Activity Report was filed) for at least 5 years, as they form part of the audit trail demonstrating our compliance activity.
  • Reports and Regulatory Communications: Copies of all Suspicious Activity/Transaction Reports (SARs/STRs) filed with authorities are retained, as well as any other reports to regulators (e.g. currency transaction reports, if applicable). Correspondence with regulators or law enforcement related to AML (e.g. inquiries, production orders, freeze orders) are documented and stored.
  • Training and Awareness Records: We document employee training sessions, materials used, and attendance records, retaining these to evidence compliance with training obligations (often 5 years as well).

All records are stored in a manner that is secure (protected from unauthorized access or alteration) yet readily retrievable by authorized personnel. We utilize encryption and access controls for electronic records, and secure cabinets or off-site storage for any physical documents (though our operations are primarily paperless). Compliance with data protection laws is maintained – sensitive personal data in records is handled per privacy regulations, ensuring confidentiality. However, data protection requirements allow for retention of data for compliance with legal obligations; hence, requests from customers to delete personal data (“right to be forgotten”) may be deferred until the retention period expires, as permitted by law.

Regular audits (internal or external) are performed to verify that record-keeping is comprehensive and that records match transactions and activities. Any gaps or inconsistencies identified are remediated. By maintaining an exhaustive audit trail, Cashat can demonstrate to regulators that it has fulfilled all AML/CFT/CPF obligations, and it can provide crucial information to law enforcement for any investigations of illicit financial activity.

Internal Reporting and Suspicious Activity Reporting (SAR)

Cashat has clear procedures for internal escalation of suspicious activities and external reporting to relevant authorities, in compliance with local laws (such as reporting to the Nigerian Financial Intelligence Unit – NFIU – under Nigeria’s AML laws). All employees are trained to be vigilant for potential red flags and to promptly report any suspicions through the proper channels without fear of reprisal (see Training section). Key components of our reporting framework are:

  • Internal Escalation: If any staff member (whether in customer support, operations, or other departments) observes something suspicious – for example, inconsistent information from a customer, attempt at identity fraud, or unusual transaction behavior – they must report it to the Compliance team immediately. We provide an internal Suspicious Activity Referral form/portal for this purpose. Additionally, alerts generated by the automated monitoring system that are deemed potentially suspicious after compliance review are escalated to the MLRO. The MLRO (or designated compliance investigators) will gather all relevant information and analyze the case in detail.
  • Investigation and Decision: The Compliance team investigates the alert or internal referral by reviewing the customer’s profile, transaction history, and any available external information (e.g. adverse media, internet searches, intelligence from partners). The investigation is documented, and if the MLRO determines that the activity “cannot be reasonably explained and is indicative of potential money laundering or terrorist financing,” they will proceed to file a Suspicious Activity Report. If the activity is explainable or benign, the case is closed with rationale recorded. This decision process follows the regulatory guidance on suspicion thresholds. Throughout, tipping off is strictly prohibited – staff must not disclose to the customer or any unauthorized party that they are under investigation or that a report may be filed.
  • External Suspicious Activity Reports (SARs/STRs): When a decision to report is made, the MLRO will promptly file a SAR with the country’s Financial Intelligence Unit (FIU) or other designated authority as required. In Nigeria, for example, suspicious transactions are reported to the NFIU. Reports are filed as soon as possible within the timeline prescribed by law (e.g. within 24-48 hours of determining suspicion, depending on jurisdiction). The SAR contains detailed information on the customer, the transactions or activities in question, and the reasons for suspicion. Cashat uses the official reporting format or system provided (such as goAML where applicable). We retain a copy of each SAR and the supporting documentation.
  • Post-SAR Actions: After filing, if required by law or risk management, Cashat may take additional actions such as closing or restricting the account (particularly if keeping it open would risk further illicit activity or tipping off). However, in some cases, law enforcement may request that the account remain open under monitoring to support an investigation – we cooperate as legally permissible. All post-report actions are guided by regulatory expectations and done in consultation with legal counsel when needed.
  • Reports of Currency Transactions or Threshold-Based Reports: In jurisdictions where large transaction reporting is mandated (e.g. Nigeria requires reporting cash transactions over certain thresholds to the CBN/NFIU), Cashat will also file those reports in an automated fashion. Although our platform is digital (cashless), any significant funding or withdrawal that triggers threshold reports will be handled per local regulation.
  • Metrics and Review: The Compliance Officer tracks metrics on internal referrals, alerts reviewed, SARs filed, etc. These statistics are reviewed by senior management and the Board as part of ongoing oversight. Trends (like increase in a certain type of suspicious activity) are analyzed to strengthen controls or training as needed.

By having a rigorous internal reporting chain and timely SAR filing process, Cashat fulfills its legal obligations and contributes to the broader fight against financial crime. We recognize that prompt reporting of suspicious transactions to the FIU is not only required by law but is crucial for enabling authorities to investigate and disrupt criminal networks. Cashat also ensures strict confidentiality of all SAR filings – the fact that a report has been made is kept secret, as disclosure could constitute unlawful tipping-off.

Employee Training and Awareness

An effective AML/CFT/CPF program requires that all relevant employees understand their responsibilities and are capable of recognizing suspicious activity. Cashat therefore implements a comprehensive training and awareness program, tailored to our business model and risks. As part of our governance, FATF Recommendation 18 highlights the importance of staff training alongside internal controls, and we fully embrace that mandate. Key aspects of our training program include:

  • New Hire Induction: Every new employee, regardless of department, receives AML/CFT/CPF training as part of onboarding. This covers the basics of money laundering and terrorist financing, the importance of compliance, an overview of relevant laws (like FATF standards and local regulations such as CBN AML/CFT guidelines), and Cashat’s policies (including how to report suspicions). Even employees not in customer-facing roles gain an understanding of why AML/CFT is important to the company’s mission and their role in upholding it.
  • Role-Specific Training: Training is tailored to the function of staff. For example, customer support and onboarding teams are trained in KYC procedures, document verification, and spotting identity fraud or red flags during interactions. The compliance operations team receives in-depth training on transaction monitoring systems, case investigations, and regulatory reporting. Senior management and the Board are briefed on their oversight responsibilities and liability for compliance failures. Engineers and product managers are trained on data privacy and security, and how product changes might impact compliance (for instance, they learn about audit trail requirements and alerts generation logic).
  • Ongoing Annual Training: All employees must attend mandatory refresher training at least annually. These sessions update staff on any changes in regulations, internal policies, or emerging typologies (e.g. new scam or laundering methods). We incorporate case studies (internal or industry examples) to illustrate lessons. Training is delivered through a mix of e-learning modules, live workshops, and quizzes. Cashat’s training program also emphasizes ethical conduct and encourages a compliance mindset as part of daily operations.
  • Enhanced Training for Higher-Risk Areas: Employees in departments that manage higher-risk aspects (such as large transaction review, fraud investigations, or international partnerships) receive additional targeted training. This may include deep dives into complex topics like proliferation financing red flags, sanctions evasion techniques, or advanced analytics tools. As recommended, we provide “additional sessions focused on higher-risk areas or updated regulations” for relevant staff.
  • Testing and Acknowledgement: After training sessions, employees may be tested (through questionnaires or scenario exercises) to ensure comprehension. All staff are required to acknowledge understanding of the AML/CFT/CPF policy and their duty to follow it. We keep records of training completion and performance on assessments.
  • Culture of Compliance: Beyond formal training, Cashat fosters an environment where compliance is everyone’s responsibility. Regular internal communications (newsletters, emails) share compliance updates and tips. We celebrate teams or individuals who demonstrate vigilance (for example, spotting and preventing fraud attempts). Management reinforces that meeting compliance obligations is a core value, even if it occasionally means turning away business or slowing a process. Employees are encouraged to ask questions and seek guidance from the Compliance team whenever in doubt.

This continuous training and awareness ensure that our staff remain well-informed of the evolving risk landscape and regulatory expectations. A well-trained workforce is crucial: it “ensures that employees are equipped to identify and mitigate potential risks” and to carry out their duties effectively. By keeping compliance knowledge fresh and relevant, Cashat reduces the likelihood of oversight failures and strengthens its defenses against financial crime.

Sanctions Screening and PEP Handling

Cashat implements stringent sanctions screening and controls to prevent dealing with sanctioned parties or facilitating illicit fund flows, as well as measures to identify and manage Politically Exposed Persons (PEPs). Compliance with international sanctions (UN, US OFAC, EU, UK, and African Union sanctions lists, among others) and national sanctions regimes is mandatory and integral to our AML/CFT/CPF program. Similarly, the risks associated with PEPs (who may be vulnerable to corruption or bribery) require enhanced attention in line with FATF Recommendation 12. Key components of our sanctions and PEP compliance framework include:

  • Screening at Onboarding: All new customers (individuals and businesses, including beneficial owners of entities) are screened against relevant sanctions lists and PEP databases during the onboarding process. This includes consolidated UN Security Council sanctions, as well as lists from OFAC, EU, UK-HMT, and any local country-specific sanction lists (e.g., Nigeria’s NFIU watchlists if available). We also screen for persons subject to asset-freezing or travel bans under counter-proliferation and counter-terrorism sanctions. If an applicant’s name or details match an entry on a sanctions list (a potential “hit”), the account is not opened until the alert is cleared by compliance (false positive resolved or true match confirmed). True matches to sanctions result in denial of service and, if required, reporting to authorities. Likewise, if an applicant is identified as a PEP, we flag their profile for EDD measures (see below).
  • Ongoing Screening and Rescreening: Our systems continuously screen existing customers and counterparties against updated sanctions and PEP lists. Sanctions lists can change frequently (new designations, removals), so we update our data sources daily. If any existing customer becomes a match to a sanctions list due to an update (or if new information about the customer emerges linking them to sanctions targets), the account is immediately flagged. Depending on the sanctions program requirements, we may be obliged to freeze the customer’s assets and report to the regulator/FIU. PEP status can also change (e.g. someone attaining a political office), so periodic rescreening ensures we capture those changes. Transactions are also screened: for example, beneficiary names in outward payments are screened to ensure we are not sending funds to a sanctioned entity.
  • Coverage of All Parties: In addition to customers, we screen relevant related parties such as agents, corporate directors/shareholders, and significant beneficiaries of transactions. For cross-border transactions, both originator and beneficiary information is screened. If Cashat engages with third-party partner institutions (such as payout partners in other countries), we conduct due diligence to ensure they too have adequate sanctions controls.
  • Handling PEPs: When a customer is identified as a Politically Exposed Person, Cashat applies enhanced due diligence. As required by global standards, we “apply enhanced due diligence (EDD) procedures for PEPs, including monitoring their transactions and source of wealth”. Specifically, we gather information about how the PEP acquired their wealth (to detect any indications of corruption). The account is subject to closer monitoring thresholds, and any large or unusual transactions by the PEP are scrutinized. Opening an account for a PEP (or continuing a relationship if an existing customer becomes a PEP) often requires senior management approval. We also extend PEP treatment to family members and close associates of PEPs, as they can be conduits for moving illicit funds. If a PEP is deemed too high-risk (for instance, a sanctioned PEP or one with known corruption allegations), Cashat may refuse or terminate the relationship to protect the platform’s integrity.
  • Counter-Proliferation Financing (CPF) Controls: CPF largely overlaps with sanctions controls, as many measures against WMD proliferation involve targeted sanctions (e.g. North Korea, Iran) and export controls. Cashat ensures compliance with United Nations Security Council Resolutions relating to the prevention of WMD proliferation financing, by screening against lists of designated entities and individuals (such as those under UN Resolution 1540 framework). We do not offer services to any person or entity known to be involved in proliferation of WMD or associated with such programs. Transactions that might indirectly support proliferation (e.g. payments involving dual-use goods companies in high-risk jurisdictions) are carefully reviewed. Staff are trained on proliferation red flags (like unusual trade payments or involvement of entities in sanctioned programs).
  • Technology and Lists: We utilize automated screening systems that can handle large volumes and flag matches with high accuracy. These systems are configured to minimize false positives by capturing additional identifiers (date of birth, nationality, etc.) where possible, but we err on the side of caution in treating potential matches. We maintain subscriptions to up-to-date sanctions lists and politically exposed persons databases. Financial institutions must have systems in place to identify PEPs and monitor sanctions lists to avoid dealings with sanctioned parties, and Cashat’s technology and procedures fulfill this obligation.
  • Escalation and Reporting: Any confirmed sanction hit or sanctions-related transaction is escalated to the MLRO and senior management immediately. We comply with any requirement to freeze assets and report the incident to authorities (such as the central bank or FIU) without delay. For example, in Nigeria, any sanctioned assets would be reported in line with CBN/OFAC directives. For PEPs, any suspicious activity detected would be reported via SAR as per the usual process.

By rigorously enforcing sanctions and PEP screening, Cashat protects itself from legal/reputational risk and upholds international security objectives. Non-compliance with sanctions can lead to severe penalties and reputational damage, so we maintain zero tolerance in this area. All employees involved in onboarding or payments are made aware that sanctions breaches are extremely serious; our systems are designed to prevent accidental breaches, and our policy is never to execute a transaction or onboard a client if a sanctions question is unresolved.

Policies for Specific Services and Products

Cashat offers a range of financial services – including remittances, peer-to-peer (P2P) transfers, merchant payment processing, digital wallet funding, and cross-border payments – each of which carries unique AML/CFT/CPF risks. While the core principles of our program apply across all services, we tailor certain controls to address the nuances of each product. Below we outline key policy considerations for each major service line:

Remittances and Cross-Border Transfers

Cross-border remittances (sending money from one country to another) are recognized by regulators as higher risk for money laundering and terrorist financing due to the international movement of funds. For Cashat’s remittance services, we implement the following specific measures:

  • Enhanced KYC for Senders and Recipients: Both senders and, where possible, recipients of remittances are identified. Senders must have a verified Cashat account (undergo full CDD as described earlier). We also collect beneficiary details for remittances, including full name and country – and in some cases (depending on corridor and amount) contact information or ID number of the recipient. This ensures compliance with FATF’s wire transfer rule which requires including originator and beneficiary information with cross-border payments. We do not allow anonymous or undocumented remittance transactions.
  • Transaction Limits and Source of Funds Checks: Cashat imposes conservative limits on remittance amounts based on customer KYC level and risk profile. Higher amounts may require additional source-of-funds information before processing (for example, proof of income or declaration of purpose for large transfers). These limits align with local regulations (e.g., if a country has a cap on international transfers for certain account tiers). Structuring of remittances (breaking a large amount into smaller sends) is monitored; if detected, multiple sends that aggregate to a large amount will be flagged.
  • Screening of Cross-Border Transactions: Every cross-border payment is screened against sanctions (both sender and beneficiary names, as well as any intermediary banks or partner institutions involved). We also ensure that no remittances are sent to or from jurisdictions under comprehensive sanctions or those where Cashat is not licensed to operate. If an incoming or outgoing remittance involves a high-risk jurisdiction or a beneficiary who is a PEP, it triggers EDD review.
  • Partner Due Diligence: Cashat often partners with local payout providers (banks, mobile money operators, etc.) in various countries to deliver remittances to recipients. We conduct due diligence on these partners to ensure they have robust AML programs. Agreements with partners include clauses that they will adhere to AML/CFT controls, perform any necessary local KYC on recipients, and report back any suspicious activity. We also perform periodic reviews of high-volume corridors for risks (e.g. are our remittances being collected predominantly in cash in certain countries, indicating potential cash smuggling risk, etc.).
  • Reporting: We comply with any cross-border reporting obligations. For example, if any jurisdictions require logging outbound remittances above certain values, or currency export reports, we will file those. In addition, aggregate analysis is done to spot if Cashat’s remittance service is being misused (such as a single user sending to many different people in a manner consistent with mule activity).

Peer-to-Peer (P2P) Transfers

Cashat’s P2P feature allows users to send money domestically to one another’s wallets. While generally lower value and domestic, P2P transfers could be exploited for layering illicit funds or fraud schemes. Our specific controls for P2P include:

  • Tiered Limits by KYC Level: Users with only basic KYC (if such accounts exist for financial inclusion) are restricted to low-value P2P transfers. Higher transfers require the user to upgrade their KYC level. This aligns with the principle of tiered CDD and ensures that significant transfers only occur between fully verified individuals.
  • Monitoring for Unusual Patterns: We have automated rules to detect uncommon behavior in P2P usage. For instance, if one user receives funds from many unrelated users in a short period (potential pooling of illicit funds), or if a user rapidly circulates money through multiple accounts (possible layering), those patterns generate alerts. Family-and-friends type usage is expected, but we define thresholds beyond normal social payments to catch suspicious patterns.
  • Preventing Abuse and Fraud: P2P channels can be used in fraud (for example, scammers convincing victims to send money via wallet transfers). Our fraud prevention team monitors complaints and patterns that suggest scam activities. If an account is reported for fraudulent P2P requests or suspected as a mule account, we investigate and may suspend the account pending further due diligence.
  • No Anonymous Transfers: Cashat does not allow truly anonymous transfers; both the sender and receiver in a P2P transaction are identifiable in our system. Users can only transact P2P after completing minimum KYC. We also ensure that wallet IDs or handles have linkage to verified identities internally, even if the user-facing experience simplifies this (e.g., showing just a username).

Overall, P2P transfers are treated with the same scrutiny as other transactions, with the understanding that smaller transfers collectively could pose risk. Education is also provided to users (through our app or website) to beware of scams and only transact with people they know and trust.

Merchant Transactions and Payments

Cashat enables merchant payments where customers can pay merchants (who accept Cashat as a payment method) for goods and services. This essentially creates a business relationship with the merchants who receive payments. AML considerations and controls for merchant transactions include:

  • Merchant Due Diligence (KYB): Before onboarding a merchant to accept Cashat payments, we perform Know Your Business checks. The merchant (if an individual) or the business owners are identified and verified similar to any customer. We also evaluate the nature of the merchant’s business to ensure it is legitimate and compatible with our risk appetite (for example, we may prohibit high-risk sectors like online gambling or cryptocurrency exchanges without special approval due to higher AML risk). We verify business registration documents, check the merchant and its principals against sanctions/PEP lists, and ensure they are not listed for fraud or other criminal activities. Merchants are required to agree to our terms which include AML/CFT compliance expectations (such as not using their Cashat merchant account to accept payments unrelated to their stated business).
  • Transaction Monitoring for Merchant Flows: Merchant transactions typically involve higher volumes and different patterns than P2P. We monitor for red flags such as: a merchant account receiving payments that are inconsistent with its known business (e.g., a small retail shop suddenly processing very large payments or many incoming funds from unrelated regions), or merchants acting as unlicensed money transmitters (e.g., taking in money from customers and then immediately cashing out to another country). Unusual spikes in activity, very rapid pass-through of funds (money in, then quickly out to bank), or multiple customer complaints/refunds can indicate something amiss and trigger review.
  • Settlements and Cash-Outs: When merchants withdraw funds from their Cashat wallet to their bank (or mobile money) accounts, those transfers are also subject to AML controls. We ensure the bank account belongs to the merchant (to avoid third-party payments) and screen those outbound transfers as well. If a merchant frequently attempts to move funds to accounts in high-risk jurisdictions, we will scrutinize that. For cross-border merchant payouts, we treat them similar to remittances in terms of screening and information requirements.
  • Sector-Specific Controls: We apply enhanced monitoring to merchants in industries that are higher risk for money laundering (for example, dealers in high-value goods, charities/non-profits which could be misused for terrorist financing, etc.). These merchants may have to provide additional information on large transactions (like invoice details or customer info) if requested. For lower-risk merchants (say a local grocery store), standard monitoring suffices.

If a merchant is found to be misusing the platform (for example, acting as a front to move illicit money or violating our terms by accepting payments for prohibited activities), Cashat will take appropriate action, including freezing funds and reporting to authorities if necessary, in addition to terminating the merchant agreement.

Wallet Funding and Withdrawals

Cashat users typically fund their digital wallets through various methods (e.g., bank transfers, card payments, mobile money top-ups) and can withdraw funds similarly. AML controls around entry and exit of funds are vital:

  • Accepted Funding Sources: We generally only allow funding from sources that are traceable and owned by the verified customer. For example, if funding via bank transfer, we require it comes from an account in the customer’s name. Card funding should use the user’s own debit/credit card. This “same-name” principle prevents third parties from anonymously injecting funds into someone’s wallet. If we allow cash funding via agents or vouchers in some regions, strict limits and KYC for those transactions are in place per local regulations.
  • Funding Amount Limits: We place daily and monthly limits on wallet funding and withdrawals, tiered by the customer’s KYC level and risk profile. Large one-time top-ups, especially by new users, may be held for review until additional verification is completed (e.g., proof of bank account ownership or source of funds). This is to ensure we understand the origin of funds entering our ecosystem and to catch any attempts to launder large sums through layering (depositing into wallet, then quickly moving to others or withdrawing elsewhere).
  • Card and Bank Monitoring: Funding via cards can carry fraud risks (stolen cards) which indirectly ties to AML when stolen funds are laundered. Our system monitors card funding for signs of fraud (multiple cards used by one account, or one card funding multiple wallets). Similarly, if a bank account is used by multiple different Cashat users to add money, that’s a red flag likely indicating a third-party funding scheme and will be investigated.
  • Withdrawals and Destinations: When users withdraw from their wallet to a bank or other external account, we similarly ensure the destination is in the user’s name (when applicable) and screen the transaction. Withdrawal patterns are monitored – for example, if someone repeatedly cashes out immediately after receiving funds (rapid in-and-out), it might indicate they are acting as a money mule for someone else. Large withdrawals may require additional review or even splitting into multiple days depending on internal risk policies and regulatory thresholds.

Overall, by controlling how money enters and exits the Cashat platform and ensuring those flows are tied to identified individuals, we mitigate the risk of the service being used as a circuit to launder money between external accounts.

Cooperation with Regulatory Authorities and Law Enforcement

Cashat recognizes the importance of close cooperation with regulators, Financial Intelligence Units, and law enforcement agencies in the fight against financial crime. We are committed to transparency and proactive engagement with authorities in all jurisdictions where we operate. Our policy in this regard includes:

  • Regulatory Reporting and Communication: Beyond suspicious activity reports, Cashat files all required regulatory reports (e.g. periodic AML returns, high-value transaction reports, cash transaction reports where applicable) accurately and on time. We maintain open lines of communication with supervisory authorities such as Central Banks and Financial Regulators. If regulators conduct examinations or request information, we respond promptly and fully. We do not conceal or withhold any pertinent information and provide examiners access to systems and records as needed for their reviews.
  • Information Sharing: Where allowed by law, Cashat participates in information-sharing initiatives to combat financial crime. This could include public-private partnership forums, industry AML working groups, or bilateral information exchange under safe harbor provisions. For instance, if operating in Nigeria, we would engage with the Nigeria Financial Intelligence Unit (NFIU) through any collaborative platform to provide feedback on typologies and trends. Internationally, if we detect threats (like a new scam targeting multiple institutions), we may share intelligence with peers or through groups such as the Egmont group channels, consistent with legal constraints. We also have internal protocols to handle law enforcement inquiries – e.g., verifying the validity of any subpoena or court order and responding through the MLRO or legal counsel.
  • Responding to Law Enforcement Requests: Upon receiving lawful requests (court orders, subpoenas, information requests from FIUs or police) for customer or transaction information, Cashat will provide the requested data in a timely manner, as permitted by data protection laws. We have a dedicated team to handle such requests to ensure they are processed confidentially and swiftly. If asked to monitor an account or facilitate a controlled operation, we coordinate closely under guidance of our legal counsel to support the investigation while remaining compliant with the law.
  • Asset Freezing and Seizure: If instructed by authorities to freeze assets or if we identify assets that must be frozen (e.g. due to sanctions or a criminal investigation), we will immediately take action to block the relevant accounts or funds. We then follow the official procedures to maintain the freeze until further notice and ensure the affected funds are not moved. Any such action is documented and reported to the relevant authority.
  • Regular Engagement and Updates: We “foster relationships with regulatory authorities… to facilitate information sharing and reporting across borders”. Cashat’s compliance leadership makes a point to meet periodically with key regulators and financial intelligence officials in major markets to stay aligned on expectations. We seek clarification or guidance whenever there is regulatory uncertainty and inform regulators of significant changes in our business that could affect AML (such as launching a new product or expanding to a new country).
  • Public Statements and Reporting: When legally appropriate, Cashat will contribute to public AML/CFT efforts, such as publishing anonymized statistics of our SAR filings or typology trends we have observed, to aid the broader community’s awareness. However, we ensure any public disclosures do not violate confidentiality laws (particularly around SAR secrecy).

Through these cooperative measures, Cashat not only ensures compliance with legal obligations but also demonstrates its commitment to being a responsible, law-abiding financial services provider. We view regulators and law enforcement as key stakeholders in our mission to prevent misuse of our platform, and we actively seek to “engage with global regulatory bodies to stay compliant” and contribute to collective efforts against money laundering, terrorism financing, and proliferation financing.

Roles and Responsibilities Across Teams

Effective AML/CFT/CPF compliance at Cashat is a company-wide responsibility that involves multiple departments. Clear roles and accountability ensure that each team incorporates compliance into its operations. Below is an outline of key roles and how various teams contribute to implementing this policy:

  • Board of Directors and Executive Management: As noted under Governance, the Board approves the AML/CFT/CPF policy and provides oversight. They set the tone for compliance culture. Executive Management ensures that the policy is implemented across all teams and that those teams have the necessary training and resources. They also review regular compliance reports and take action on any strategic or resource issues.
  • Compliance Team (Compliance/AML Department): This team, led by the Chief Compliance Officer/MLRO, is responsible for day-to-day management of the AML program. They design and update policies and procedures, conduct risk assessments, and maintain knowledge of regulatory changes. The Compliance team oversees KYC verification processes, sanctions screening, and transaction monitoring operations. They investigate alerts and internal reports of suspicious activity, deciding when to file SARs. They also handle regulatory communications and audits. Essentially, Compliance is the central hub ensuring all other teams adhere to AML requirements and that the program runs effectively.
  • Product Team: The product development and management team ensures that new products or features are developed with compliance in mind. They engage Compliance early in the design phase to conduct risk assessments for new services and to embed necessary controls (for example, if launching a new payment corridor, working with Compliance to set appropriate limits and monitoring). Product managers also incorporate customer identity and transaction data capture requirements into user workflows (such as prompting for KYC when needed). They are responsible for not introducing features that could bypass controls (e.g., anonymous transaction methods) and for addressing any UX issues that might hinder compliance (like ensuring the app properly collects required information in a user-friendly way).
  • Engineering and IT Team: Engineering builds and maintains the technical infrastructure that supports AML compliance – for instance, the systems for KYC verification, the transaction monitoring engine, and data reporting tools. They ensure that integrations with external databases (sanctions/PEP lists, identity verification services) function reliably. The IT team also safeguards the data security of customer information in line with NDPC guidelines, ensuring that personal data and logs are protected from breaches. When Compliance needs new analytics or changes in rules, engineering prioritizes these developments. The tech teams also implement audit logging in systems (so that there’s a record of who accessed or changed sensitive data). In summary, Engineering and IT operationalize the compliance requirements within our software and infrastructure.
  • Operations Team: This typically includes customer onboarding teams, customer support, and back-office operations. Onboarding/KYC operations perform the frontline verification of customer documents and information, flagging any discrepancies or high-risk findings to Compliance (e.g., if an ID seems fake or information doesn’t match). Customer support staff are trained to identify suspicious interactions or complaints (for example, if a user claims they were coerced to make a transfer, support should escalate that). The Operations team also handles daily transaction processing, so they must follow procedures like checking for flagged transactions and not processing any block-listed payments. They coordinate with Compliance on any manual intervention needed (such as delaying a payout that seems suspicious until cleared). Essentially, Operations executes many of the processes (KYC collection, transaction processing) and needs to do so exactly as per the policy and escalate when something is out of the ordinary.
  • Finance and Accounting Team: The finance department monitors cash flows, reconciliations, and liquidity. They have a role in identifying any irregular financial movements internally. For example, they might notice if funds from customers are not matching payouts or if there are unexplained adjustments – these could indicate internal fraud or AML issues. They ensure proper record-keeping of financial transactions from an accounting perspective, which complements AML record-keeping. Finance staff are also aware to flag any unusual payment requests or expenses that could raise AML concerns (like an invoice from an unknown third party).
  • Legal Team: Legal counsel interprets relevant laws and regulations, ensuring the policy remains up-to-date with current requirements (like new CBN circulars or data protection laws). They advise on complex cases (for instance, if there’s a legal constraint in sharing certain data with regulators or cross-border). In enforcement situations (responding to subpoenas or freezing accounts), Legal guides the response to ensure compliance while protecting the company’s interests. They also review partnership contracts to insert AML/CFT compliance clauses.
  • Human Resources: HR plays a role by conducting background checks on new hires (to ensure we don’t employ individuals with a history of financial crime) and ensuring that employment contracts and policies reinforce compliance expectations. HR, in partnership with Compliance, ensures that any staff disciplinary actions needed for compliance breaches are taken. HR also keeps records of employee AML training and can ensure that performance evaluations include compliance adherence where relevant.
  • Partners and Agents: If Cashat uses agents or third-party partners (like an agent network for cash-in/out or white-label partnerships), those partners also have roles under our program. We conduct training and provide our agents with AML guidelines they must follow (such as KYC steps for any in-person account opening or reporting any suspicious behavior observed at an agent location). Partner institutions are expected to uphold equivalent AML standards. We assign relationship managers internally to oversee partners’ compliance with our requirements, and we may audit or request attestations from them periodically.

Each team’s responsibilities are documented in departmental procedures derived from this policy. We encourage collaboration among teams – for example, Compliance regularly meets with Product and Engineering to discuss upcoming changes, or with Operations to review KYC quality. By clearly delineating duties and encouraging cross-functional communication, Cashat ensures that AML/CFT/CPF compliance is woven into the fabric of all business processes. Everyone from top management to front-line customer support understands the critical nature of their role in keeping the platform secure and compliant.

Periodic Review and Update of the Policy

The financial crime landscape and regulatory requirements are continually evolving. To remain effective and up-to-date, Cashat will review and update this AML/CFT/CPF policy on a regular basis. The following practices govern our policy management:

  • At Least Annual Review: The policy is reviewed in depth at least once every year. The Compliance team coordinates the review, taking into account any changes in laws (e.g., new FATF recommendations, amended CBN regulations, updates from other African regulators where we operate, or global sanctions regime changes) as well as findings from our own program (audit results, incident learnings). The review will assess whether the current procedures are adequate for the risks identified in our most recent risk assessment.
  • Interim Updates: If significant regulatory changes occur or new risks emerge, the policy will be updated promptly, without waiting for the annual cycle. For instance, if a new law requires additional controls (such as a new customer due diligence rule or data protection requirement), we will incorporate those changes as soon as practicable. Similarly, if we expand to a new country or launch a new product, we will adjust the policy to cover any new obligations or risk areas.
  • Approval and Versioning: All changes to the policy are documented and must be approved by senior management and the Board of Directors. We maintain version control, so we have an audit trail of what changes were made and why (e.g., “Updated sanctions screening section to include XYZ new list as required by regulator,” etc.). This documentation is useful for examiners and internal understanding of our compliance evolution.
  • Communication and Training on Updates: Whenever the policy is updated, Cashat promptly communicates the changes to all relevant employees and provides supplemental training if needed. This ensures that there is no gap between policy changes and operational practice. For example, if new procedures for EDD are added, the Compliance team will train the Operations staff on those new steps immediately.
  • Testing and Audit: After updates, and on a periodic basis, we test adherence to the policy. Our Internal Audit or an independent reviewer will evaluate whether the procedures in the policy are being followed and are effective. This could involve sample testing of KYC files, mock suspicious scenario drills, or system checks. The results of these tests inform the next review cycle. In line with best practices, we also conduct “internal audits and reviews to ensure that the AML program is effective and up-to-date”, and we address any gaps identified.
  • Regulatory Input: We stay attuned to feedback from regulators or industry bodies about our policy. If during an examination a regulator suggests an improvement (for example, to elaborate more on proliferation financing controls), we will consider and incorporate that feedback. We also benchmark our policy against peers in the industry and guidance from FATF or local FIUs to ensure completeness.

Through this continual improvement loop, Cashat’s AML/CFT/CPF policy remains a living document that adapts to new threats, technologies, and regulatory expectations. Senior management remains engaged in this process, underscoring the importance of compliance adaptability. By regularly updating the policy, and thereby the program, Cashat not only remains compliant with current laws but also positions itself to anticipate and mitigate future financial crime risks, ensuring a robust and sound financial service for its customers.