Anti-Money Laundering (AML), Combating the Financing of Terrorism (CFT), and Sanctions Compliance Policy

Our Objectives

The major objective of this Policy is to establish a robust framework to prevent the Company from being used as a vehicle for money laundering, terrorist financing, or other financial crimes, and to ensure full compliance with all applicable AML/CFT laws, regulations, and regulatory requirements.

This Policy further seeks to implement effective procedures for customer due diligence, transaction monitoring, and the timely detection and reporting of suspicious activities to relevant authorities, while ensuring compliance with applicable national and international sanctions regimes. Ultimately, the Policy is intended to protect the Company from reputational, legal, regulatory, and financial risks associated with financial crime and to promote a strong culture of compliance and integrity across its operations.

Scope

This Policy applies to all Directors, Management, Employees, Agents, Contractors, Vendors, Customers, and Third-Party Partners engaged with or acting on behalf of the Company, and governs all business activities undertaken in the course of the Company’s operations.

It extends to all financial services provided by the Company, all customer relationships established or maintained, and all products, platforms, and digital channels utilised in the delivery of such services. This Policy applies across all jurisdictions in which the Company operates or conducts business, whether directly or through third-party arrangements.

Definitions

Governance Structure

Risk-Based Approach

The Company adopts and maintains a Risk-Based Approach (RBA) to identify, assess, and manage money laundering, terrorist financing, and sanctions risks. Risk factors assessed include customer profile and activities, geographic exposure, product and service risk, and delivery channel risk.

Customers and transactions are assigned risk levels of Low, Medium, or High, subject to commensurate controls. High-risk customers and transactions are subject to enhanced due diligence and increased monitoring.

Customer Due Diligence (CDD)

CDD is conducted prior to the establishment of any business relationship or the execution of any qualifying transaction. The Company identifies, verifies, and maintains records of customer identity, beneficial ownership, and the nature and purpose of the relationship.

Sanctions Compliance Policy

The Company maintains and enforces a sanctions compliance framework designed to ensure strict adherence to all applicable sanctions obligations, including those issued by the United Nations, relevant national authorities, and other applicable regulatory bodies.

Transaction Monitoring

The Company maintains effective transaction monitoring systems designed to identify, detect, and review transactions that may indicate money laundering, terrorist financing, or other suspicious activity. This includes detection of unusual transaction patterns, structuring or smurfing activities, rapid or unexplained movement of funds, and transactions inconsistent with the customer’s known profile.

The Company employs a combination of automated monitoring systems and manual review processes to ensure continuous oversight. Alerts are promptly reviewed, investigated, and escalated in accordance with established internal procedures.

Suspicious Transaction Reporting (STR)

All suspicious transactions are promptly identified and reported to the Nigerian Financial Intelligence Unit (NFIU) in accordance with applicable laws and within all prescribed statutory timelines.

All employees must first escalate any suspicion internally to the MLRO without delay. Disclosure of any information to a customer or third party (“tipping off”) is strictly prohibited and constitutes a serious disciplinary and regulatory breach.

Record Keeping

The Company maintains comprehensive records of all business relationships and transactions for a minimum period of five (5) years or such longer period as may be required under applicable laws. Such records include customer identification and verification documents, transaction logs, due diligence files, and all suspicious transaction reports.

All records are securely stored to ensure their integrity, confidentiality, accessibility, and protection against unauthorised alteration, loss, or destruction.

Employee Training

All employees receive appropriate AML/CFT training as part of their onboarding and on an ongoing basis, including mandatory induction training, annual refresher training, and specialised training for compliance and high-risk roles. Training covers key AML/CFT obligations, identification of red flags, detection of suspicious activities, and reporting requirements.

Internal Audit and Compliance Testing

The Company conducts periodic internal audits and compliance testing to assess adherence to this Policy and applicable AML/CFT requirements. Such audits include the review of compliance processes, identification of control weaknesses, and recommendation of corrective and remedial actions. Independent audits may also be commissioned periodically.

Reporting Obligations

The Company complies with all applicable regulatory reporting obligations by submitting required reports to the Central Bank of Nigeria and the NFIU. Such reports include Suspicious Transaction Reports (STRs), Currency Transaction Reports (CTRs), and other risk or compliance-related reports as required by regulators. All reports are prepared and submitted within prescribed statutory timelines.

Risk Assessment Policy

The Company maintains a structured risk assessment framework that includes an Enterprise-Wide Risk Assessment (EWRA), periodic annual AML risk reviews, and risk evaluations of all products, services, and delivery channels. All risk assessments are properly documented, regularly updated, and approved in accordance with the Company’s governance structure.

Third-Party Risk Management Policy

All third-party vendors, service providers, and partners are subject to appropriate due diligence, risk assessment, and compliance verification prior to engagement and on an ongoing basis. Assessments include evaluation of integrity, operational capability, and AML/CFT risk exposure.

All third parties are contractually required to comply with applicable AML/CFT obligations, data protection laws, and other relevant regulatory requirements, and are subject to ongoing monitoring.

Data Privacy and Confidentiality Policy

The Company complies with all applicable data protection laws and regulations, including the Nigeria Data Protection Act 2023 and guidelines issued by the Nigeria Data Protection Commission (NDPC). Customer data is treated as strictly confidential and is securely stored, access-controlled, and protected against unauthorised access, disclosure, alteration, or destruction. Access is limited to authorised personnel on a need-to-know basis.

Fraud Prevention Policy

The Company maintains appropriate fraud prevention and detection systems, including technological controls, user authentication mechanisms, and incident response procedures. All suspected or confirmed fraud incidents are promptly logged, thoroughly investigated, and escalated in accordance with the Company’s internal reporting structure and applicable regulatory requirements.

Whistleblowing Policy

The Company maintains a whistleblowing framework that enables employees and relevant stakeholders to report suspected suspicious activities, compliance breaches, or fraud attempts. All reports may be made confidentially. The Company ensures that no employee or reporter suffers any form of retaliation, victimisation, or adverse consequence for making a report in good faith.

Cybersecurity Policy

The Company implements and maintains appropriate cybersecurity measures to safeguard its systems, networks, and data from unauthorised access, breaches, and cyber threats. Such measures include secure network architecture, encryption of sensitive data, robust access control mechanisms, and documented incident response procedures.

The Company also conducts periodic penetration testing and vulnerability assessments to evaluate the effectiveness of its security controls and ensure continuous improvement.

Business Continuity and Disaster Recovery Policy

The Company maintains appropriate business continuity and disaster recovery arrangements designed to ensure the uninterrupted continuation of critical operations in the event of system failures, disruptions, or other unforeseen incidents. These arrangements include documented disaster recovery plans, secure and regularly updated data backup systems, and established business continuity procedures to minimise operational downtime and data loss. Arrangements are reviewed and tested at least annually.

Policy Violations

Any breach or violation of this Policy is treated as a serious compliance matter and may result in disciplinary action, up to and including termination of employment or contractual engagement. Where applicable, such violations may also attract civil, regulatory, or criminal consequences in accordance with relevant laws and regulatory requirements.

Policy Review

This Policy is reviewed periodically, and in any event not less than once every six (6) years, to ensure its continued adequacy and effectiveness. It is also reviewed and updated as necessary in response to changes in applicable laws and regulations, the introduction of new products or services, or any material changes in the Company’s risk profile or operating environment.