Anti-Money Laundering (AML) Policy

ZuriPay is committed to the highest standards of Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) compliance. This policy outlines our comprehensive approach to preventing, detecting, and reporting money laundering and terrorist financing activities in accordance with the laws and regulations of the Republic of Zimbabwe.

This AML Policy is designed to ensure compliance with: - The Money Laundering and Proceeds of Crime Act [Chapter 9:24] - The Bank Use Promotion Act [Chapter 24:24] - The Banking Act [Chapter 24:20] - Reserve Bank of Zimbabwe (RBZ) AML/CFT Guidelines - Financial Intelligence Unit (FIU) Directives - Suppression of Foreign and International Terrorism Act [Chapter 11:21] - United Nations Security Council Resolutions on Sanctions

ZuriPay maintains a zero-tolerance policy towards money laundering and terrorist financing. All employees, agents, and third-party service providers are required to adhere strictly to this policy and report any suspicious activities immediately.

Money Laundering is the process of concealing the origins of illegally obtained money, typically by transferring it through a complex sequence of banking transfers or commercial transactions. Under Zimbabwean law, money laundering includes: - Concealing or disguising the true nature, source, location, disposition, movement, or ownership of property knowing it is proceeds of crime - Converting, transferring, or removing property from Zimbabwe knowing it is proceeds of crime - Acquiring, possessing, or using property knowing it is proceeds of crime - Participating in, associating with, or conspiring to commit any of the above acts

Terrorist Financing involves the provision or collection of funds with the intention or knowledge that they will be used to carry out terrorist acts. This includes: - Providing or collecting funds for terrorist activities - Providing financial services to terrorist organizations - Facilitating the movement of funds for terrorist purposes

Predicate Offences in Zimbabwe include but are not limited to: - Corruption and bribery - Fraud and theft - Tax evasion - Drug trafficking - Human trafficking - Arms trafficking - Smuggling - Counterfeiting - Environmental crimes - Cybercrime

ZuriPay implements robust Customer Due Diligence procedures to verify the identity of all customers and understand the nature of their business relationships.

Individual Customer Verification Requirements: - Full legal name as per national identification - National ID number or passport number for foreign nationals - Date and place of birth - Current residential address (proof required) - Contact information (phone number and email) - Occupation and source of income - Purpose and intended nature of the business relationship - Expected transaction volume and frequency

Required Documentation for Individuals: - Valid National ID card or Passport - Proof of residential address (utility bill, bank statement, or lease agreement not older than 3 months) - Employment letter or proof of income source - Bank reference letter (for high-value transactions)

Corporate Customer Verification Requirements: - Company registration certificate - Certificate of incorporation - Memorandum and Articles of Association - List of directors and their identification documents - List of beneficial owners (25% or more ownership) - Company CR14 and CR6 forms - Valid tax clearance certificate - Proof of business address - Bank reference letter - Board resolution authorizing account opening and signatories

Enhanced Due Diligence (EDD) triggers: - Politically Exposed Persons (PEPs) and their associates - High-risk jurisdictions as designated by FATF or RBZ - Complex ownership structures - Cash-intensive businesses - Non-profit organizations - Cross-border transactions exceeding USD 10,000 - Unusual transaction patterns

ZuriPay employs a risk-based approach to AML compliance, categorizing customers and transactions based on their inherent risk levels.

Customer Risk Categories: - Low Risk: Regular salary earners, small businesses with transparent operations - Medium Risk: Cash-intensive businesses, frequent international transactions - High Risk: PEPs, complex ownership structures, businesses in high-risk sectors

Geographic Risk Factors: - Countries subject to UN, EU, or OFAC sanctions - Countries identified by FATF as high-risk or non-cooperative - Countries with significant levels of corruption or criminal activity - Tax havens or jurisdictions with bank secrecy laws

Product/Service Risk Assessment: - Wire transfers and international remittances (High Risk) - Mobile money services (Medium to High Risk) - Prepaid cards and e-wallets (Medium Risk) - Merchant payment processing (Low to Medium Risk)

Transaction Risk Indicators: - Large cash deposits or withdrawals - Structured transactions to avoid reporting thresholds - Rapid movement of funds - Transactions inconsistent with customer profile - Use of multiple accounts or payment methods - Transactions to/from high-risk jurisdictions

Risk Mitigation Measures: - Transaction limits based on risk profile - Enhanced monitoring for high-risk customers - Regular review of customer risk ratings - Restrictions on certain products for high-risk customers - Mandatory source of funds verification for large transactions

ZuriPay operates sophisticated transaction monitoring systems to detect potentially suspicious activities in real-time and through periodic reviews.

Automated Monitoring Systems: - Real-time transaction screening against predefined rules and scenarios - Machine learning algorithms for anomaly detection - Behavioral analysis to identify deviations from normal patterns - Velocity checks for transaction frequency and volume - Cross-product monitoring for related party transactions

Monitoring Scenarios Include: - Transactions just below reporting thresholds (structuring) - Sudden increase in transaction volume or frequency - Transactions to/from high-risk countries - Multiple transactions to different beneficiaries in short time periods - Round-amount transactions - Dormant account suddenly active - Frequent changes to customer information

Manual Review Triggers: - System-generated alerts requiring human investigation - Customer complaints or concerns - Negative news or adverse media - Law enforcement inquiries - Whistleblower reports

Investigation Procedures: - Alert prioritization based on risk score - Documentation of investigation findings - Customer outreach for transaction clarification when appropriate - Escalation to Compliance Officer for suspicious activities - Decision documentation (clear, escalate, or file STR)

Red Flags Requiring Immediate Attention: - Customer reluctance to provide required information - Use of false or suspicious documents - Transactions with no apparent economic purpose - Complex transactions involving multiple parties - Attempts to avoid reporting requirements - Involvement of shell companies or complex structures

ZuriPay maintains strict compliance with all reporting obligations under Zimbabwean law and RBZ regulations.

Suspicious Transaction Reports (STRs): - Must be filed with the FIU within 3 business days of suspicion - No minimum threshold for suspicious transactions - Include all relevant transaction details and supporting documentation - Maintain strict confidentiality (tipping-off is prohibited) - File follow-up reports for continuing suspicious activity

Threshold Transaction Reports (TTRs): - Cash transactions of ZWG 5,000 or equivalent in foreign currency - Electronic transfers of USD 10,000 or equivalent - Multiple transactions that aggregate to threshold amounts - Report within 5 business days to FIU

Cross-Border Transaction Reports: - All international wire transfers regardless of amount - Include originator and beneficiary information - Report currency exchange transactions above USD 1,000

Internal Reporting Structure: - Front-line staff report to immediate supervisors - Supervisors escalate to Compliance Officer - Compliance Officer reviews and files external reports - Board oversight through quarterly compliance reports

Record of Reports Filed: - Maintain register of all STRs and TTRs filed - Track status and any feedback from authorities - Annual statistics for board and regulatory review

Protection for Reporting: - No liability for good faith reporting - Whistleblower protection for internal reports - Anonymous reporting channels available - Protection from customer retaliation

ZuriPay implements enhanced measures for identifying and managing relationships with Politically Exposed Persons, their family members, and close associates.

PEP Definition under Zimbabwean Law: - Current or former senior government officials - Senior political party officials - Senior executives of state-owned enterprises - Senior military or police officials - Senior judicial officials - Board members of central banks - Ambassadors and senior diplomats

Family Members Include: - Spouse or partner - Children and their spouses - Parents - Siblings

Close Associates Include: - Business partners - Individuals with joint beneficial ownership - Individuals with close business relationships

PEP Screening Procedures: - Screen all new customers against PEP databases - Regular rescreening of existing customers (minimum annually) - Use of reputable third-party PEP databases - Manual verification for potential matches - Documentation of screening results

Enhanced Measures for PEPs: - Senior management approval for account opening - Enhanced due diligence on source of wealth and funds - More frequent transaction monitoring - Annual relationship reviews - Restrictions on certain high-risk products - Regular updates of PEP status

Foreign PEPs: - Mandatory enhanced due diligence - Source of wealth verification required - Senior management approval for all transactions above USD 5,000 - Quarterly relationship reviews

ZuriPay maintains comprehensive sanctions screening procedures to ensure compliance with international and domestic sanctions regimes.

Sanctions Lists Screened: - United Nations Security Council Sanctions Lists - Office of Foreign Assets Control (OFAC) - SDN List - European Union Consolidated List - UK HM Treasury Sanctions List - Reserve Bank of Zimbabwe Sanctions List - INTERPOL Wanted Persons - Local law enforcement lists

Screening Procedures: - Real-time screening of all transactions - Daily screening of customer database - Pre-account opening screening - Ongoing monitoring for list updates - False positive management procedures - Match resolution within 24 hours

Prohibited Transactions: - Any transaction involving sanctioned individuals or entities - Transactions with countries under comprehensive sanctions - Provision of prohibited goods or services - Facilitation of sanctions evasion

Match Resolution Process: - Automatic blocking of exact matches - Manual review of potential matches - Documentation of resolution decisions - Escalation procedures for confirmed matches - Reporting to relevant authorities - Customer notification where legally permitted

Sanctions Training: - Annual training for all staff - Specialized training for compliance team - Updates on sanctions regime changes - Testing and certification requirements

ZuriPay maintains comprehensive records in accordance with Zimbabwean law and international best practices.

Record Retention Requirements: - Customer identification records: 5 years after relationship ends - Transaction records: 5 years from transaction date - STR/SAR records: 5 years from filing date - Risk assessment documentation: 5 years from assessment date - Training records: 5 years from training date - Internal audit reports: 7 years

Types of Records Maintained: - Account opening documentation - Transaction details and supporting documents - Correspondence with customers - Internal suspicion reports - External reporting records - Risk assessment and reviews - Investigation files - Training attendance and materials

Data Protection Measures: - Encryption of sensitive data - Access controls and user authentication - Audit trails for data access - Secure disposal procedures - Regular security assessments - Incident response procedures

Information Sharing: - With law enforcement upon valid request - With FIU for regulatory purposes - With correspondent banks as required - Under court orders - Within ZuriPay for AML purposes - Strict confidentiality maintained

Customer Data Rights: - Right to access (subject to AML restrictions) - Right to correction of inaccurate data - No right to deletion during retention period - Privacy notice provided at onboarding

ZuriPay implements a comprehensive AML/CFT training program to ensure all personnel understand their obligations and can effectively identify and report suspicious activities.

Training Requirements: - Mandatory AML training for all new employees within 30 days - Annual refresher training for all staff - Role-specific training for high-risk functions - Enhanced training for compliance personnel - Board and senior management awareness sessions

Training Topics Covered: - Overview of money laundering and terrorist financing - Zimbabwean AML/CFT laws and regulations - ZuriPay's AML policies and procedures - Customer due diligence requirements - Transaction monitoring and red flags - Reporting obligations and procedures - Sanctions screening requirements - Case studies and practical examples

Training Delivery Methods: - In-person classroom sessions - E-learning modules - Webinars and video conferences - Self-study materials - External conferences and seminars

Assessment and Certification: - Pre and post-training assessments - Minimum passing score of 80% - Certification valid for one year - Remedial training for failures - Performance tracking and reporting

Ongoing Awareness: - Monthly AML tips and reminders - Quarterly compliance newsletters - Regular team meetings on AML topics - Sharing of industry best practices - Lessons learned from incidents

ZuriPay maintains a robust governance structure to ensure effective implementation and oversight of AML/CFT compliance.

Board of Directors Responsibilities: - Approve AML/CFT policies and procedures - Ensure adequate resources for compliance - Review quarterly compliance reports - Oversee culture of compliance - Annual assessment of AML program effectiveness

Senior Management Responsibilities: - Implement board-approved policies - Allocate necessary resources - Foster compliance culture - Address compliance deficiencies - Regular communication with board

Chief Compliance Officer: - Day-to-day management of AML program - Direct reporting line to CEO and Board - Authority to suspend suspicious transactions - Liaison with regulatory authorities - Independent testing coordination

Compliance Team Structure: - Transaction monitoring analysts - Investigation specialists - Sanctions screening team - Training coordinators - Quality assurance personnel

Three Lines of Defense: 1. First Line: Business units and operations - Customer onboarding - Transaction processing - Initial suspicious activity detection

2. Second Line: Compliance function - Policy development - Monitoring and testing - Advisory services - Regulatory liaison

3. Third Line: Internal audit - Independent assessment - Program effectiveness testing - Recommendations for improvement

ZuriPay conducts regular independent testing of its AML/CFT program to ensure effectiveness and identify areas for improvement.

Internal Audit Requirements: - Annual comprehensive AML audit - Risk-based audit approach - Independent audit function - Direct reporting to Board Audit Committee - Follow-up on findings and remediation

External Audit: - Independent AML program review every 2 years - Conducted by qualified external auditors - Comprehensive testing of all AML components - Benchmarking against industry standards - Management action plans for findings

Audit Scope Includes: - Policy and procedure adequacy - Customer due diligence processes - Transaction monitoring effectiveness - Suspicious activity reporting - Sanctions screening accuracy - Training program assessment - Record keeping compliance - Regulatory reporting accuracy

Testing Methodologies: - Sample testing of customer files - Transaction testing and analysis - System configuration reviews - Process walkthroughs - Staff interviews and assessments - Scenario-based testing

Remediation Process: - Formal management responses required - Risk-based prioritization of findings - Clear timelines for remediation - Progress tracking and reporting - Validation of completed actions - Lessons learned documentation

ZuriPay leverages advanced technology solutions to enhance AML/CFT compliance effectiveness and efficiency.

Core AML Systems: - Customer screening and onboarding platform - Real-time transaction monitoring system - Case management system - Sanctions screening solution - Regulatory reporting platform - Document management system

System Capabilities: - API integration with third-party data providers - Machine learning for pattern detection - Natural language processing for news screening - Blockchain analysis for cryptocurrency transactions - Biometric verification for customer identity - Automated regulatory reporting

Data Analytics and Reporting: - Risk scoring algorithms - Trend analysis and visualization - Predictive analytics for risk assessment - Management dashboards - Regulatory reporting automation - Ad-hoc query capabilities

System Controls: - Role-based access controls - Audit logging of all activities - Data encryption at rest and in transit - Regular security assessments - Disaster recovery procedures - Change management protocols

Vendor Management: - Due diligence on technology vendors - Service level agreements - Regular performance reviews - Data protection agreements - Business continuity planning - Exit strategies

Non-compliance with this AML Policy may result in severe consequences for both ZuriPay and individuals involved.

Regulatory Penalties under Zimbabwean Law: - Fines up to ZWG 5,000,000 for institutions - Imprisonment up to 20 years for money laundering offences - Imprisonment up to 15 years for terrorist financing - Asset forfeiture and confiscation - Loss of operating license - Public censure and reputational damage

Internal Disciplinary Actions: - Verbal or written warnings - Suspension without pay - Termination of employment - Legal action for damages - Reporting to professional bodies - Criminal prosecution referral

Personal Liability: - Individual criminal prosecution - Personal fines and penalties - Professional disqualification - Imprisonment - Asset freezing and forfeiture - Travel restrictions

Examples of Violations: - Failure to report suspicious transactions - Tipping off customers about investigations - Processing transactions for sanctioned parties - Inadequate customer due diligence - Falsifying compliance records - Circumventing AML controls

Protection for Compliance: - No penalty for good faith reporting - Legal protection for compliance with policy - Indemnification for authorized actions - Support for legal proceedings - Whistleblower protections

For questions, concerns, or to report suspicious activities, please contact:

AML Compliance Officer (AMLCO): Name: Jaqueline Hussein Email: compliance@zuripay.app

Compliance Department: Email: compliance@zuripay.app Address: 4 Normandy Road, Alexandra Park, Harare, Zimbabwe

External Reporting: Financial Intelligence Unit (FIU) Zimbabwe Email: fiu@rbz.co.zw Phone: +263 4 703000 Address: 80 Samora Machel Avenue, Harare

Reserve Bank of Zimbabwe Bank Supervision Division Phone: +263 4 703000 Website: www.rbz.co.zw

Useful Resources: - FATF Recommendations: www.fatf-gafi.org - RBZ AML Guidelines: www.rbz.co.zw/aml - FIU Reporting Forms: www.fiu.co.zw/forms - Sanctions Lists: www.un.org/securitycouncil/sanctions

Employee Resources: - Internal AML Portal: internal.zuripay.app/aml - Training Platform: training.zuripay.app - Policy Documents: policies.zuripay.app - Anonymous Reporting: ethics.zuripay.app

Last Updated: 1st May 2025 Next Review Date: 1st May 2026

This policy is subject to change based on regulatory updates and industry best practices. All stakeholders will be notified of material changes.