AML Policy

1. Purpose

This Anti-Money Laundering (AML) and Counter-Terrorism Financing (CTF) Policy outlines Fyatu Financial Technologies Limited’s (“Fyatu”) commitment to preventing the use of our card issuing platform for money laundering, terrorist financing, or other financial crimes.

This policy applies to Fyatu’s card programme clients (“Clients”) — businesses that use the Fyatu platform to issue Visa and Mastercard cards under their own programmes. It describes both Fyatu’s obligations as a platform operator and the obligations Clients must meet to maintain access to the platform.

2. Regulatory Framework

Fyatu complies with applicable AML/CTF laws and regulations, including:

• Anti-money laundering legislation of the United Republic of Tanzania
• Guidelines and recommendations of the Financial Action Task Force (FATF)
• Visa and Mastercard card network AML and compliance rules
• BIN Sponsor regulatory obligations applicable to the Client’s programme
• Applicable international sanctions regimes (UN, EU, OFAC, and others)

3. Client Onboarding and Business KYC

Before activating a card programme, Fyatu conducts due diligence on every Client entity. Required documentation includes:

• Certificate of incorporation and business licence
• Registered address and country of incorporation
• Details of all directors, authorised signatories, and ultimate beneficial owners (UBOs), including full name, date of birth, nationality, and government-issued ID
• Certificate of good standing
• Description of the Client’s business, target markets, and intended card programme use case
• Evidence of regulatory licences required for the Client’s operating markets, where applicable

Clients that have not completed business verification are not permitted to go live. Fyatu reserves the right to request additional documentation at any time for ongoing due diligence purposes.

4. Client Responsibility for Cardholder KYC

Where the Client operates under Shared KYC, the Client is solely responsible for:

• Verifying the identity of each cardholder before issuing a card
• Maintaining cardholder KYC records in accordance with applicable law
• Conducting ongoing cardholder due diligence and monitoring
• Filing suspicious transaction reports with relevant authorities in the Client’s jurisdiction

Where the Client operates under Managed KYC, Fyatu performs cardholder identity verification on the Client’s behalf using approved third-party verification providers. The Client remains the data controller and the responsible party for its cardholders’ AML compliance obligations.

In both cases, Fyatu may suspend cardholder onboarding or card issuance for any programme if KYC standards are not met.

5. Sanctions Screening

Fyatu screens all Client entities and their associated individuals (directors, UBOs, signatories) against international and local sanctions lists during onboarding and on an ongoing basis. Screening covers UN, EU, OFAC, and other applicable sanctions databases.

Fyatu will not onboard or provide services to any entity or individual that appears on a sanctions list. Clients found to be sanctioned after onboarding will have their programme immediately suspended and reported to the relevant authorities.

Clients operating under Shared KYC are required to screen their cardholders against applicable sanctions lists before issuing cards and on an ongoing basis. Fyatu may additionally screen cardholder data passed through the platform.

6. Transaction Monitoring

Fyatu employs automated and manual monitoring at the programme and transaction level to detect suspicious activity, including:

• Unusual card issuance volumes relative to the Client’s stated programme size or use case
• Abnormal transaction patterns — high velocity, round-number structuring, or geographic concentration inconsistent with the programme’s declared markets
• Rapid deposit followed by immediate card spend or withdrawal with no clear economic purpose
• Transactions involving jurisdictions or counterparties flagged as high-risk by FATF
• Programme Balance funding from sources inconsistent with the Client’s business profile
• Patterns suggesting cardholders are acting in concert to structure transactions below reporting thresholds
• Repeated card issuance and termination cycles without normal spend activity

Clients are expected to maintain their own programme-level transaction monitoring and to report any suspicious activity identified in their programme to Fyatu and to the relevant authorities in their jurisdiction.

7. Suspicious Activity Reporting

When suspicious activity is identified, Fyatu will:

• Investigate the activity promptly through our compliance team
• File Suspicious Activity Reports (SARs) or Suspicious Transaction Reports (STRs) with the relevant Tanzanian authorities as required by law
• Suspend affected cards or the Client’s programme pending investigation where necessary
• Cooperate fully with law enforcement, regulatory authorities, BIN Sponsors, and card networks
• Notify the Client where legally permitted to do so

Fyatu personnel are prohibited from disclosing to the Client or any third party that a SAR/STR has been filed (tipping-off prohibition).

8. Programme Suspension and Termination

Fyatu reserves the right to suspend or terminate a Client’s card programme without prior notice if:

• Suspicious or potentially illegal activity is detected in the programme
• The Client fails to provide requested documentation or information within a reasonable timeframe
• The Client or any associated individual is found to be on a sanctions list
• A request is received from law enforcement, regulatory authorities, a BIN Sponsor, or a card network
• The Client fails to maintain adequate cardholder KYC or AML controls
• The Client violates the Terms of Service, this AML Policy, or card network rules

Funds held in the Programme Balance will be frozen pending investigation and released in accordance with the wind-down procedures in the Terms of Service once the grounds for suspension are resolved or the programme is terminated.

9. Prohibited Activities

The following are strictly prohibited on the Fyatu platform:

• Money laundering, terrorist financing, or proliferation financing
• Sanctions evasion — including routing transactions through intermediaries to avoid screening
• Fraud, identity theft, or impersonation of cardholders or business entities
• Tax evasion or facilitating tax evasion for cardholders
• Issuing cards to cardholders whose identity has not been verified in accordance with this policy
• Using the programme to process funds derived from criminal activity
• Operating the card programme in markets not disclosed during onboarding without prior written approval
• Any activity listed in the Prohibited Goods and Services appendix of the Terms of Service

10. Record Keeping

Fyatu maintains records of all Client identification data, verification documents, transaction history, and compliance activities for a minimum of 7 years after programme closure. Records are stored securely and made available to regulators and law enforcement upon lawful request.

Clients are independently responsible for maintaining their own AML records for the retention period required by applicable law in their operating jurisdictions.

11. Employee Training

All Fyatu employees and contractors with access to Client data or involvement in transaction processing receive:

• AML/CTF training upon onboarding
• Regular refresher training on evolving regulations, typologies, and red flags relevant to card programme operators
• Guidance on recognising and escalating suspicious activities at the programme level

12. Contact

To report suspicious activity or for compliance inquiries, reach us via your dedicated shared Slack channel or by email:

• Compliance team: [email protected]
• Legal matters: [email protected]
• General support: [email protected]