Victoria Island, Lagos

Compliance Policy

Effective Date: July 22, 2025

Purpose

This policy sets the standards and controls that guide how Kashflo operates lawfully, ethically, and securely. It covers regulatory compliance, data privacy, AML/CFT, responsible lending, marketing fairness, incident response, and ongoing monitoring across our products: FreeMe (individual), Efico (students), FreeBiz (business), Credit & Cards, Remittances/Wallets (NGN, USD), and Financial Advisory.

Scope

Applies to all Kashflo entities, employees, contractors, agents, and third-party service providers involved in product development, operations, support, sales/marketing, and data processing.

Governance & Accountability

  • Board Oversight: The Board (or delegated Risk & Compliance Committee) owns this policy and receives quarterly compliance/AML reports and incident reports as needed.

  • Chief Compliance Officer (CCO): Owns the compliance program, policy maintenance, regulatory liaison, and staff training.

  • Money Laundering Reporting Officer (MLRO): Manages AML/CFT, sanctions screening, transaction monitoring, STR/SAR filings, and periodic AML risk assessments.

  • Data Protection Officer (DPO): Oversees NDPR/GDPR compliance, DPIAs, privacy notices, consent, data subject requests, and vendor privacy reviews.

  • Product & Engineering Leads: Embed controls (KYC tiers, geofencing, consent gating, logging) by design.

  • All Staff: Must complete mandatory training and promptly escalate incidents or suspicious activity.

Regulatory Framework (Nigeria-first, global-ready)

  • Licensing & Authorizations: Operate under applicable licenses/partnerships (e.g., licensed bank/IMTO/PSP partners where relevant). No activity outside license scope.

  • Nigeria Core Laws/Rules: NDPR (privacy), AML/CFT regulations, CBN directives/circulars relevant to payments, card issuance, and digital banking.

  • Cross-Border Expansion: Where we serve users outside Nigeria, we align to local privacy, AML/CFT, consumer protection, and e-money/card rules, applying highest-standard wins when requirements differ.

Code of Ethics & Conduct

  • Zero tolerance for bribery, corruption, facilitation payments, kickbacks, fraud, market abuse, or retaliation against whistleblowers.

  • Conflicts of interest must be disclosed and managed.

  • Gifts & hospitality follow a pre-approval and register process.

Financial Crime Compliance (AML/CFT & Sanctions)

Risk Assessment

  • Maintain an enterprise-wide ML/TF risk assessment annually and on material change (new product, new corridor, new partner).

  • Risk-rate customers, products (e.g., Credit vs. Wallet), channels (app vs. API), and geographies.

Customer Due Diligence (CDD/KYC)

  • Tiered KYC:

    • Lite (low limits): basic identity (full name, phone, DOB), selfie, basic risk checks.

    • Standard (higher limits): valid government ID, BVN (Nigeria), selfie/face-match, address verification as required.

    • Enhanced: for high-risk users (foreign PEPs, adverse media, unusual patterns) — collect additional information and documentary proof.

  • Beneficial Ownership: For FreeBiz and entity accounts, identify and verify UBOs and control persons.

  • Ongoing KYC: Periodic refresh by risk tier; trigger refresh on events (e.g., limits upgrade, unusual activity).

Sanctions & PEP Screening

  • Screen at onboarding and continuously against global and local lists (e.g., UN, OFAC, UK HMT, EU, local lists) and PEP/adverse media databases.

  • Positive matches → review by Compliance; no onboarding/activity until cleared.

Transaction Monitoring & STR/SAR

  • Scenario- and behavior-based monitoring (velocity, structuring, mule patterns, circular flows, card testing, merchant risk).

  • File Suspicious Transaction/Activity Reports with the relevant FIU/regulator as required; maintain confidentiality and no-tipping-off controls.

Correspondent/Partner Risk

  • Perform AML due diligence on banks, IMTOs, card processors, issuing partners, and program managers.

  • Contractually require AML, sanctions, and data protection compliance; audit rights included.

Data Protection & Privacy (NDPR/GDPR-aligned)

Lawful Basis & Transparency

  • Use data only for specific, explicit purposes (account opening, payments, fraud prevention, customer support).

  • Maintain easy-to-understand Privacy Notice and Cookie Policy. Consent banners must allow accept/reject/manage for non-essential cookies.

Data Subject Rights

  • Provide processes for access, correction, deletion, portability, and objection.

  • Verify identity before fulfilling requests; log and resolve within statutory timelines.

Security & Minimization

  • Collect only what’s necessary.

  • Apply encryption in transit and at rest, strong key management, role-based access, device security (MDM), and secure SDLC.

  • Maintain PCI DSS alignment for card data (PAN never stored unless fully tokenized and in scope-reduced architecture).

Vendor & International Transfers

  • DPAs with processors; conduct privacy and security reviews.

  • For cross-border transfers, use approved mechanisms (SCCs/adequacy), and maintain records of processing activities (ROPAs).

Product-Specific Compliance Controls

FreeMe (Individuals) & Wallets

  • Fee transparency; disclose any waivers/cashback clearly.

  • KYC tiering aligns with transaction and wallet limits.

  • Clear in-app consent for notifications, analytics, and marketing preferences.

Efico (Students)

  • Student verification (ID or school email) for eligibility.

  • Financial education content available; avoid predatory design.

  • Any credit offers must follow responsible lending (see Credit section).

FreeBiz (Businesses)

  • Business verification (RC where applicable), UBO/KYC, and merchant category risk assessment.

  • Settlement terms and fees disclosed; chargeback/ dispute processes documented.

Credit & Cards (separate but co-located offering)

  • No P2P lending. Kashflo credit is responsible, purpose-fit, and affordability-checked.

  • Affordability & Suitability: income/behavioral data, obligations, and stress scenarios to set safe limits.

  • Disclosure: APR/fees, repayment schedule, consequences of late payment, grace periods, and support options.

  • Collections: fair, non-harassing; hardship programs available (rescheduling, payment plans).

  • Cards: follow scheme rules and PCI DSS; strong customer authentication (step-up on risk).

Remittances & Multi-Currency

  • Currency control compliance; partner with licensed IMTOs/banks as applicable.

  • Corridor-level risk assessments and monitoring (purpose of payment, source of funds).

  • FX disclosures and receipts with rates, fees, and timelines.

Financial Advisory 

  • Clear scope and disclaimers: educational guidance and non-fiduciary unless expressly contracted.

  • Suitability checks for recommendations; document client objectives and risk profile.

  • Conflict of interest disclosure (e.g., if referring to partners).

  • Marketing avoids guarantees of returns; past performance disclaimers included.

Consumer Protection & Fair Treatment

Marketing & Communications

  • Clear, accurate, not misleading. No hidden qualifiers.

  • APRs, fees, and limits stated plainly.

  • Use inclusive, accessible language; provide local context (Nigeria-first).

Complaints Management

  • Multi-channel intake (in-app chat, email, phone, web form).

  • Acknowledge within 24–48 hrs; resolve within policy timelines by severity.

  • Root-cause analysis and remediation tracked; report trends to ExCo/Board.

Whistleblowing

  • Confidential reporting via email/phone/web form; option for anonymity.

  • Non-retaliation guaranteed; investigation outcomes recorded.

  • Footer link to public Whistleblowing page.

Information Security & Resilience

Secure Development & Change Management

  • Security requirements in user stories; code review and SAST/DAST for high-risk modules.

  • Change control with rollback plans; production access restricted and logged.

Incident Response

  • 24/7 triage; classify (Low/Critical), contain, eradicate, recover.

  • Notify regulators/users where required by law and contracts.

  • Post-incident review with action items and owners.

Business Continuity & Disaster Recovery

  • RTO/RPO defined per system criticality (payments, KYC, card processing highest tier).

  • Regular failover tests; vendor DR reviewed annually.

Training & Awareness

  • Onboarding and annual compliance, AML/CFT, privacy/security training.

  • Role-specific modules for Support, Risk, Engineering, and Advisory.

  • Phishing simulations and secure data handling refreshers.

Recordkeeping & Reporting

  • Retention schedules by record type (KYC, transactions, consents, complaints, advisory notes).

  • Immutable logs for financial crime investigations.

  • Regulatory reporting calendar (returns, STR/SAR deadlines, audits).

Third-Party & Vendor Management

  • Risk-tier vendors; pre-contract due diligence (security, privacy, AML where applicable).

  • Contracts: audit rights, breach notification, sub-processor controls, data localization if required.

  • Ongoing performance and control testing; offboarding with secure data return/destruction.

Monitoring, Testing & Continuous Improvement

  • First line: product/process owners run controls; self-checks.

  • Second line: Compliance performs thematic reviews, QA of KYC decisions, sampling of marketing/communications, complaint file reviews.

  • Third line (Internal Audit): independent audits per annual plan.

  • Metrics: onboarding pass rates, KYC aging, screening hits cleared vs. escalated, STR volumes, complaint resolution times, incident MTTR, training completion, consent opt-in/out trends.

  • Policy Review: at least annually or upon regulatory/product changes.

Enforcement

Breaches of this policy may lead to disciplinary action up to termination of employment/contract and, where applicable, regulatory reporting.

Public Summary

We’re committed to operating with integrity, protecting customer data, preventing financial crime, and treating customers fairly. Our controls include rigorous KYC, AML screening, transaction monitoring, data protection aligned to NDPR/GDPR, responsible lending practices, and strong security. You can read our Privacy Policy, Terms, Cookie Policy, and Whistleblowing procedures at any time.