BSA/AML & Sanctions Compliance Program (Policy)

Version: 1.0
Effective Date: January 21, 2026
Next Review Date: January 21, 2027 (or earlier upon material change)
Registered/Mailing Address: 18 King St E, Suite 1400, Toronto, ON, M5C 1C4

1) Policy Statement and Purpose

JabalPay Inc. (“JabalPay” or the “Company”) is committed to preventing its products and services from being used to facilitate money laundering, terrorist financing, sanctions evasion, fraud, or other illicit activity. This Policy establishes JabalPay’s BSA/AML and sanctions compliance program, including internal controls, governance, monitoring, escalation, recordkeeping, training, and independent testing.

This program is risk-based and will be scaled and enhanced as JabalPay expands products, geographies, funding methods, and volumes.

2) Scope

This Policy applies to:

3) Operating Model and Regulatory Posture (Partner-Led)

JabalPay is building a C2C remittance platform initially focused on the U.S. → UAE corridor. JabalPay intends to operate, where required, through regulated partners (e.g., licensed money transmitters / MSBs and regulated payout providers) that provide payment rails and/or serve as the regulated entity of record. Final allocation of compliance responsibilities (e.g., KYC, sanctions screening, transaction monitoring, regulatory reporting) will be defined in executed agreements and operating procedures.

JabalPay maintains this Policy to (i) ensure safe operations in all cases, (ii) meet partner due diligence expectations, and (iii) ensure clear internal accountability even when certain regulated functions are performed by partners. U.S. MSB regulations contemplate that agents may allocate certain program responsibilities by agreement, while still requiring an effective program and implementation.

Canada note: JabalPay’s FINTRAC MSB registration is in progress (if applicable). JabalPay will not conduct MSB activity in Canada or use Canadian payment rails for remittance activity until registration is complete and required partner approvals are in place.

4) AML Program Requirements (Core Pillars)

JabalPay’s AML program includes, at minimum:

  1. Written policies, procedures, and internal controls reasonably designed to assure compliance

     

  2. Designation of a Compliance Officer responsible for day-to-day oversight

     

  3. Ongoing training for relevant personnel

     

  4. Independent review/testing of the program, at least annually and upon material changes

     

5) Governance, Roles, and Responsibilities

5.1 Senior Management Oversight

Senior management will:

5.2 BSA/AML Compliance Officer (BCO)

The BCO is responsible for the administration of this program, including:

5.3 Product/Engineering

5.4 Operations / Customer Support

6) Risk Assessment (Enterprise AML + Sanctions)

JabalPay maintains an enterprise AML/sanctions risk assessment that is:

Risk is assessed across:

Customers are assigned Low / Medium / High risk ratings. Higher risk requires EDD and stricter limits.

7) Customer Due Diligence (CDD) / KYC

7.1 General Principle

No customer may execute transfers until identity verification and required screening are completed successfully (or performed by an approved partner with results provided back to JabalPay).

7.2 Individual Customer KYC (Minimum Data)

Subject to corridor/partner requirements, JabalPay collects and verifies:

Where partners perform KYC, JabalPay ensures (i) the product enforces the KYC gate and (ii) JabalPay retains sufficient evidence and auditability to satisfy partner oversight and investigations.

7.3 Enhanced Due Diligence (EDD)

EDD is required for elevated-risk customers/transactions, including:

EDD measures may include:

Internal review thresholds (initial; configurable):

8) Sanctions Compliance Program (OFAC-Aligned)

JabalPay maintains a sanctions compliance program consistent with OFAC’s “Framework for Compliance Commitments,” including management commitment, risk assessment, internal controls, testing/audit, and training.

8.1 Screening

JabalPay screens, directly and/or via partners:

Screening uses up-to-date sanctions lists and relevant watchlists (including OFAC lists for U.S.-related activity).

8.2 Potential Matches (Hit Handling)

9) Transaction Monitoring and Investigations

9.1 Monitoring Approach

JabalPay uses layered monitoring (directly and/or through partners/vendors):

9.2 Non-Exhaustive Red Flags

9.3 Case Management and SLAs

10) Suspicious Activity Escalation and SAR Processes (Partner-Coordinated)

JabalPay maintains written procedures to identify, investigate, and escalate suspicious activity.

10.1 Internal Escalation

Any personnel identifying suspicious behavior must escalate to the BCO immediately. The BCO documents:

10.2 SAR Filing and Partner Coordination

Where JabalPay is the entity with a SAR filing obligation for relevant activity, SARs are filed no later than 30 calendar days after initial detection; if no suspect is identified, filing may be delayed up to an additional 30 days, but not beyond 60 days after initial detection.

Where a regulated partner is the reporting entity (common in partner-led models), JabalPay will:

10.3 SAR Confidentiality (No Tipping Off)

SARs and any information that would reveal the existence of a SAR are confidential and must not be disclosed except as permitted by law. Personnel must not “tip off” customers.

10.4 Retention

JabalPay retains SARs (if filed) and all supporting documentation for five (5) years from filing date.

11) Recordkeeping and “Travel Rule” (Funds Transmittals)

JabalPay maintains records for funds transmittals consistent with Travel Rule recordkeeping and transmission expectations for transactions of $3,000 or more, including originator and beneficiary information and transaction details.

At a minimum, JabalPay retains (directly or via partner evidence):

Records must be retrievable and retained for at least five years (or longer as required by contract/law).

12) Cash Activity (Current Position)

JabalPay is currently designed as a cashless platform (digital funding and payout rails). If cash acceptance or cash payout features are introduced, JabalPay will implement additional controls prior to launch of that feature.

13) Training

All relevant personnel and contractors receive AML/sanctions training:

Training covers:

Training completion is documented and retained.

14) Independent Review / Testing

JabalPay conducts independent testing at least annually and upon material change. Reviews may be conducted by:

Review scope includes:

Findings are tracked to remediation with owners and due dates.

15) Third-Party / Partner Oversight

JabalPay performs risk-based due diligence and oversight of third parties and partners supporting AML-related functions, including:

16) Data Protection and Security (AML Evidence)

JabalPay protects customer and compliance data with:

17) Exceptions, Breaches, and Remediation

Any exception to this Policy requires written approval by the BCO and CEO, with documented compensating controls.

Compliance breaches trigger:

18) Change Management

This Policy is reviewed at least annually and updated when there are material changes, including:

Appendix A — Red Flags (Non-Exhaustive)

Appendix B — Escalation Workflow (High-Level)

  1. Alert generated (rule, manual report, partner escalation)

     

  2. Triage and severity assignment

     

  3. Investigation + evidence gathering

     

  4. Decision (close / restrict / suspend / terminate / escalate to partner for SAR consideration)

     

  5. Document outcome and update controls if needed

     

References (Selected)

JabalPay Inc. is registered as a money services business with the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), registration No. N300000035. Federally incorporated under the Canada Business Corporations Act, Corp. No. 1758485-7. Suite 1400, 18 King Street East, Toronto, ON M5C 1C4, Canada. JabalPay is a money services business, not a bank.