image

Compliance Policy

Last updated: 11-05-2025

This Compliance & Risk Management Policy defines how ChiwawaPay upholds integrity, trust, and regulatory compliance in the provision of its fintech and payment services across Tanzania, Kenya, Uganda, and Asia.
It ensures adherence to both local financial regulations and international Anti-Money Laundering (AML), Counter-Terrorism Financing (CTF), and Know Your Customer (KYC) standards.

1. Purpose

The purpose of this policy is to:

  • Safeguard ChiwawaPay, its users, and partners against fraud, money laundering, and financial crime.

  • Ensure transparency and accountability in all financial operations.

  • Maintain compliance with national and international financial regulations.

  • Build confidence among users, investors, payment partners, and regulators.

2. Scope

This policy applies to:

  • All ChiwawaPay employees, agents, and affiliates.

  • All merchants, vendors, and API users integrating ChiwawaPay.

  • All payment channels, including card payments, mobile money, and bank transfers.

  • All regions of operation: Tanzania, Kenya, Uganda, and Asia.

3. Regulatory Framework

ChiwawaPay’s compliance framework aligns with the following laws and regulations:

Regional Regulations

  • Bank of Tanzania (BoT) Electronic Money Regulations (2021).

  • Central Bank of Kenya (CBK) National Payment Systems Act.

  • Bank of Uganda (BoU) Financial Institutions (Anti-Money Laundering) Regulations.

International Standards

  • FATF (Financial Action Task Force) Recommendations.

  • EU General Data Protection Regulation (GDPR).

  • OECD Anti-Bribery Convention.

  • UN Convention Against Corruption.

ChiwawaPay also observes best practices from major fintech compliance frameworks, including those used by Stripe, Paystack, and Flutterwave.

4. Compliance Structure

ChiwawaPay maintains a structured compliance governance model:

  • Chief Compliance Officer (CCO): Oversees all compliance and risk management functions.

  • Compliance Committee: Reviews high-risk transactions, suspicious activity reports (SARs), and partner audits.

  • AML/KYC Team: Conducts identity verification, screening, and transaction monitoring.

  • Internal Audit & Risk Department: Conducts quarterly audits and risk assessments.

All departments work collaboratively to ensure regulatory alignment and operational integrity.

5. Know Your Customer (KYC) Procedures

To prevent fraud and ensure legal compliance:

  • All customers and merchants must undergo KYC verification before accessing full services.

  • Required documents may include:

    • For individuals: National ID (NIDA, Passport, Voter ID).

    • For businesses: Certificate of Incorporation, TIN, and authorized signatory ID.

  • Verification is conducted using digital KYC APIs integrated through our third-party payment aggregator partners.

  • Customer data is encrypted and stored securely in compliance with GDPR and data localization requirements.

6. Anti-Money Laundering (AML) Controls

ChiwawaPay actively monitors transactions to detect and prevent:

  • Money laundering, terrorist financing, and fraudulent activity.

  • Unusual transaction patterns inconsistent with customer profiles.

  • Transfers involving blacklisted entities or sanctioned countries.

We employ:

  • Automated transaction screening using machine learning tools.

  • Real-time sanctions checks against OFAC, EU, and UN lists.

  • Suspicious Activity Reports (SARs) for flagged accounts.

All AML operations comply with FATF Recommendation 10–21.

7. Risk Classification and Assessment

Customers, merchants, and partners are categorized into risk tiers:

  • Low Risk: Verified individuals and businesses with predictable transaction behavior.

  • Medium Risk: SMEs or online businesses with higher transaction volume.

  • High Risk: Entities dealing with virtual currencies, cross-border remittances, or unregulated industries.

Risk assessments are performed:

  • During onboarding (initial KYC).

  • Periodically (every 6–12 months).

  • On triggers such as abnormal transaction spikes or flagged behaviors.

8. Transaction Monitoring

Our automated monitoring systems analyze transactions for:

  • Unusual frequency, size, or destination patterns.

  • Transactions inconsistent with the customer’s known activity.

  • Transfers involving politically exposed persons (PEPs) or sanctioned entities.

Alerts generated are reviewed by the Compliance and AML Teams for investigation and escalation if necessary.

9. Third-Party Aggregator & Partner Oversight

As ChiwawaPay operates in partnership with licensed payment aggregators and financial institutions, we:

  • Conduct due diligence and compliance screening before partnership.

  • Ensure all third-party partners maintain valid licensing and AML/KYC programs.

  • Require written agreements covering data protection, risk management, and reporting obligations.

  • Perform periodic compliance audits and risk reviews of all partners.

This ensures consistent compliance across our multi-country payment network.

10. Data Protection & Confidentiality

ChiwawaPay guarantees:

  • End-to-end encryption for all data transmissions.

  • Tokenization of sensitive financial data (e.g., card numbers).

  • Role-based access control for internal systems.

  • Adherence to GDPR Article 32 and African Data Protection Regulations.

Customer information is confidential and used only for legitimate service, legal, and compliance purposes.

11. Fraud Prevention Framework

To mitigate fraud:

  • Transactions undergo multi-layer verification (OTP, 3D Secure, etc.).

  • Device fingerprinting and IP geolocation analysis detect suspicious access.

  • A Fraud Risk Score (FRS) is applied to each transaction in real time.

  • The Compliance Team coordinates with law enforcement and banks for confirmed cases.

Fraud prevention procedures are reviewed quarterly for efficiency and adaptation to new threats.

12. Reporting and Record Keeping

ChiwawaPay maintains:

  • Detailed logs of all transactions, KYC data, and compliance reviews for at least 7 years.

  • Suspicious Transaction Reports (STRs) filed with relevant authorities when required.

  • Immediate reporting of confirmed financial crimes to local regulators and law enforcement.

All reporting complies with local and international AML statutes.

13. Business Continuity and Incident Response

To ensure resilience:

  • We maintain a Business Continuity Plan (BCP) to handle service disruptions or compliance incidents.

  • Incident Response Teams investigate security breaches or compliance alerts within 24 hours.

  • Regular disaster recovery tests are conducted with third-party data centers.

Critical systems are hosted in secure cloud environments with redundancy and backup in multiple regions.

14. Staff Training and Awareness

All employees and agents undergo:

  • Mandatory AML/KYC and Data Protection training every 6 months.

  • Immediate onboarding orientation on compliance and reporting procedures.

  • Awareness sessions on fraud detection and cybersecurity best practices.

Training logs are retained for audit purposes.

15. Non-Compliance and Penalties

Any staff, merchant, or partner found violating this policy may face:

  • Account suspension or termination.

  • Reporting to law enforcement or regulatory bodies.

  • Financial penalties or legal action under applicable laws.

16. Continuous Improvement

ChiwawaPay commits to:

  • Regularly reviewing and updating this policy to align with new regulations and technologies.

  • Conducting quarterly internal audits and annual third-party compliance reviews.

  • Maintaining open engagement with regulators and financial partners.

This site uses cookies

We use cookies to improve your experience. By continuing to browse or using ChiwawaPay, you agree to our use of cookies for analytics, functionality, and security purposes.

View More