Compliance

Cashat is a regulated financial-services group operating across multiple African jurisdictions. We deliver consumer wallets, agent banking, merchant acquiring, cross-border remittance and card products through a network of licensed local operating entities and partner banks. We do not hold customer funds on our own balance sheet — all balances sit with regulated counterparties.

Cashat's compliance framework is benchmarked against the recommendations of the Financial Action Task Force (FATF), the Basel Committee on Banking Supervision, and the data-protection regimes of the markets we serve.

We operate through, and in partnership with, institutions licensed by their respective regulators. Current arrangements include, without limitation:

• Nigeria — Mobile Money Operator and Payment Solution Service Provider licences via licensed partners, regulated by the Central Bank of Nigeria (CBN).
• Kenya — Payment Service Provider authorisation under the National Payment System Act, supervised by the Central Bank of Kenya (CBK).
• Ghana — Dedicated Electronic Money Issuer (DEMI) partnership regulated by the Bank of Ghana.
• WAEMU region (Benin, Côte d'Ivoire, etc.) — partnership with an e-money institution licensed by the BCEAO.
• CEMAC region (Cameroon, Chad) — partnership with an institution licensed by COBAC / BEAC.
• Card issuance through partner principal members of Visa and Mastercard, and acquiring through PCI-DSS Level 1 certified processors.

A jurisdiction-specific list of licensed counterparties is available on request from legal@cashat.africa.

Every Cashat customer is identified and verified before they can transact. We apply a risk-based approach that matches the depth of due diligence to the customer's risk profile and intended use of the Services.

• Tier 1 (basic wallet): name, date of birth, mobile number, government-ID number with database validation.
• Tier 2 (standard wallet): all of Tier 1 plus government ID document upload, liveness-verified selfie, and address confirmation.
• Tier 3 (full wallet, cards, cross-border): all of Tier 2 plus source-of-funds declaration and, where applicable, enhanced due diligence (EDD).
• Merchants and agents: KYB on the entity, KYC on beneficial owners with ≥25% ownership, and ongoing monitoring of transaction patterns.

All customers, beneficiaries and counterparties are screened at onboarding and continuously thereafter against the consolidated sanctions lists of the United Nations, the African Union, OFAC (US), the EU, the UK and other applicable lists. Politically Exposed Persons (PEPs) and their close associates are subject to enhanced due diligence and senior-management approval.

Every transaction on the Cashat network passes through a real-time monitoring engine that combines rule-based and machine-learning detection. Alerts are reviewed by a dedicated Financial Crime Operations team. Suspicious Transaction Reports (STRs) are filed promptly with the relevant Financial Intelligence Unit (FIU) — for example, the NFIU in Nigeria, the FRC in Kenya, or the FIC in Ghana.

We display all applicable fees, foreign-exchange spreads and limits before a customer confirms a transaction. Complaints are acknowledged within 24 hours and resolved within 15 business days. Unresolved disputes may be escalated to the consumer-protection or financial-services ombudsman of the customer's jurisdiction.

Personal information is processed in accordance with the Nigeria Data Protection Act 2023, Kenya's Data Protection Act 2019, Ghana's Data Protection Act 2012, and equivalent legislation in every other market we serve. See our Privacy Notice for full details.

Anyone — staff, customer, partner or member of the public — who suspects misconduct, fraud, bribery or breach of law within Cashat or its partners can report it confidentially to whistleblower@cashat.africa. Reports may be made anonymously. We do not retaliate against good-faith whistleblowers.

Cashat's compliance programme is reviewed annually by an external firm. Our information-security posture is assessed against ISO 27001 controls and our card environment is audited annually for PCI-DSS compliance. Reports are available to regulators and to commercial partners under NDA.

Regulators, banking partners and journalists with compliance enquiries can reach the Cashat Compliance Office at compliance@cashat.africa. Law-enforcement requests should be sent to leo@cashat.africa with appropriate legal process attached.