BSA/AML & Sanctions Compliance Program (Policy)
Version: 1.0
Effective Date: January 21, 2026
Next Review Date: January 21, 2027 (or earlier upon material change)
Registered/Mailing Address: 18 King St E, Suite 1400, Toronto, ON, M5C 1C4
1) Policy Statement and Purpose
JabalPay Inc. (“JabalPay” or the “Company”) is committed to preventing its products and services from being used to facilitate money laundering, terrorist financing, sanctions evasion, fraud, or other illicit activity. This Policy establishes JabalPay’s BSA/AML and sanctions compliance program, including internal controls, governance, monitoring, escalation, recordkeeping, training, and independent testing.
This program is risk-based and will be scaled and enhanced as JabalPay expands products, geographies, funding methods, and volumes.
2) Scope
This Policy applies to:
- All founders, employees, contractors, and agents of JabalPay
- All product environments (prototype, beta, pilot, production)
- All customers and transactions facilitated through JabalPay user experiences
- All third parties that support onboarding, screening, payments, conversion/settlement, and payouts
3) Operating Model and Regulatory Posture (Partner-Led)
JabalPay is building a C2C remittance platform initially focused on the U.S. → UAE corridor. JabalPay intends to operate, where required, through regulated partners (e.g., licensed money transmitters / MSBs and regulated payout providers) that provide payment rails and/or serve as the regulated entity of record. Final allocation of compliance responsibilities (e.g., KYC, sanctions screening, transaction monitoring, regulatory reporting) will be defined in executed agreements and operating procedures.
JabalPay maintains this Policy to (i) ensure safe operations in all cases, (ii) meet partner due diligence expectations, and (iii) ensure clear internal accountability even when certain regulated functions are performed by partners. U.S. MSB regulations contemplate that agents may allocate certain program responsibilities by agreement, while still requiring an effective program and implementation.
Canada note: JabalPay’s FINTRAC MSB registration is in progress (if applicable). JabalPay will not conduct MSB activity in Canada or use Canadian payment rails for remittance activity until registration is complete and required partner approvals are in place.
4) AML Program Requirements (Core Pillars)
JabalPay’s AML program includes, at minimum:
- Written policies, procedures, and internal controls reasonably designed to assure compliance
- Designation of a Compliance Officer responsible for day-to-day oversight
- Ongoing training for relevant personnel
- Independent review/testing of the program, at least annually and upon material changes
5) Governance, Roles, and Responsibilities
5.1 Senior Management Oversight
Senior management will:
- Approve and support this Policy and ensure adequate resourcing
- Review compliance metrics and material incidents at least quarterly
- Ensure timely remediation of audit findings and control gaps
5.2 BSA/AML Compliance Officer (BCO)
The BCO is responsible for the administration of this program, including:
- Maintaining and updating this Policy and associated procedures
- Ensuring controls are implemented before launch and remain effective
- Overseeing risk assessments and risk rating methodology
- Overseeing KYC/KYB, sanctions screening, and transaction monitoring requirements (including partner oversight)
- Investigating and escalating suspicious activity and coordinating SAR processes with partners as applicable
- Ensuring training completion and coordinating independent review/testing
5.3 Product/Engineering
- Implement compliance gates in product flows (KYC required before transacting, sanctions blocks, limits)
- Ensure audit logging, evidence retention, and secure access controls
5.4 Operations / Customer Support
- Follow escalation playbooks for fraud/AML red flags
- Maintain confidentiality of investigations and SAR-related information (no tipping off)
6) Risk Assessment (Enterprise AML + Sanctions)
JabalPay maintains an enterprise AML/sanctions risk assessment that is:
- Completed prior to launch
- Reviewed at least annually
- Updated upon material changes (new corridors, new funding methods, new partners, stablecoin flows, etc.)
Risk is assessed across:
- Customer risk: identity quality, residency, occupation, source of funds, PEP/adverse media indicators
- Product risk: cross-border remittance, velocity/instant settlement, refunds/reversals, stablecoin settlement (if applicable)
- Geographic risk: sanctioned/high-risk jurisdictions, corridor-specific risk
- Channel risk: remote onboarding, device/IP anomalies, third-party funding indicators
- Partner/vendor risk: reliance on third parties and their controls
Customers are assigned Low / Medium / High risk ratings. Higher risk requires EDD and stricter limits.
7) Customer Due Diligence (CDD) / KYC
7.1 General Principle
No customer may execute transfers until identity verification and required screening are completed successfully (or performed by an approved partner with results provided back to JabalPay).
7.2 Individual Customer KYC (Minimum Data)
Subject to corridor/partner requirements, JabalPay collects and verifies:
- Full legal name, date of birth, residential address, nationality
- Phone/email verification
- Government-issued photo ID (and liveness/selfie where required)
- Sanctions/PEP screening at onboarding and ongoing
Where partners perform KYC, JabalPay ensures (i) the product enforces the KYC gate and (ii) JabalPay retains sufficient evidence and auditability to satisfy partner oversight and investigations.
7.3 Enhanced Due Diligence (EDD)
EDD is required for elevated-risk customers/transactions, including:
- PEPs or close associates/family (where identified)
- Sanctions/high-risk geography nexus
- Unclear source of funds/wealth or inconsistent behavior
- High velocity or structuring patterns
- Third-party funding signals, unusual refunds/chargebacks
EDD measures may include:
- Source of funds documentation (bank statements, pay stubs)
- Additional identity/address verification
- Lower limits and/or manual approval before allowing activity
- More frequent ongoing review cadence
Internal review thresholds (initial; configurable):
- Manual review trigger at ≥ $2,900 aggregate send volume within 24 hours (designed as an internal risk control, not a legal threshold)
- Escalation trigger for rapid repeated transfers to multiple unrelated recipients within 24–72 hours
8) Sanctions Compliance Program (OFAC-Aligned)
JabalPay maintains a sanctions compliance program consistent with OFAC’s “Framework for Compliance Commitments,” including management commitment, risk assessment, internal controls, testing/audit, and training.
8.1 Screening
JabalPay screens, directly and/or via partners:
- Customers at onboarding and periodically thereafter
- Beneficiaries/recipients where required/available
- Counterparties and relevant parties where applicable
Screening uses up-to-date sanctions lists and relevant watchlists (including OFAC lists for U.S.-related activity).
8.2 Potential Matches (Hit Handling)
- Potential matches are escalated immediately to the BCO
- Transfers are paused pending resolution
- Resolution decisions are documented (false positive rationale, supporting evidence)
- Confirmed sanctions matches result in blocking/rejection and partner notification per operating procedures
9) Transaction Monitoring and Investigations
9.1 Monitoring Approach
JabalPay uses layered monitoring (directly and/or through partners/vendors):
- Real-time interdiction: sanctions hits, prohibited geographies, high-confidence fraud signals
- Ongoing monitoring: velocity, structuring patterns, unusual corridor behavior, device/IP changes, funding anomalies
- Where stablecoin settlement is used: wallet/counterparty risk indicators as available through vendors/partners
9.2 Non-Exhaustive Red Flags
- Multiple transfers just below internal thresholds (structuring)
- Rapid pass-through behavior (fund and immediately transfer out)
- Frequent recipient changes, especially across unrelated recipients
- Multiple accounts linked to same device/IP/payment instrument
- Funding source name mismatch (where data exists)
- Elevated reversal/chargeback/refund patterns
- Unusual geography/device location changes inconsistent with profile
9.3 Case Management and SLAs
- Alerts are triaged based on severity (Low/Medium/High)
- High-risk alerts are reviewed within 24 hours (business days)
- Cases include documented evidence: KYC, transaction history, device/IP, communications, partner logs
- Outcomes include: close as false positive, request additional info, restrict limits, suspend/terminate, escalate to partner for SAR consideration
10) Suspicious Activity Escalation and SAR Processes (Partner-Coordinated)
JabalPay maintains written procedures to identify, investigate, and escalate suspicious activity.
10.1 Internal Escalation
Any personnel identifying suspicious behavior must escalate to the BCO immediately. The BCO documents:
- Facts observed, investigation performed, and rationale
- Whether the matter is escalated to a regulated partner and/or law enforcement contact
10.2 SAR Filing and Partner Coordination
Where JabalPay is the entity with a SAR filing obligation for relevant activity, SARs are filed no later than 30 calendar days after initial detection; if no suspect is identified, filing may be delayed up to an additional 30 days, but not beyond 60 days after initial detection.
Where a regulated partner is the reporting entity (common in partner-led models), JabalPay will:
- Notify the partner promptly
- Provide supporting documentation and investigative notes
- Cooperate with partner requests and follow partner reporting procedures
10.3 SAR Confidentiality (No Tipping Off)
SARs and any information that would reveal the existence of a SAR are confidential and must not be disclosed except as permitted by law. Personnel must not “tip off” customers.
10.4 Retention
JabalPay retains SARs (if filed) and all supporting documentation for five (5) years from filing date.
11) Recordkeeping and “Travel Rule” (Funds Transmittals)
JabalPay maintains records for funds transmittals consistent with Travel Rule recordkeeping and transmission expectations for transactions of $3,000 or more, including originator and beneficiary information and transaction details.
At a minimum, JabalPay retains (directly or via partner evidence):
- Originator name and address
- Amount and execution date
- Payment instructions
- Recipient financial institution
- Recipient name/address (if received), account number or other identifier
- Forms/records associated with the transfer
Records must be retrievable and retained for at least five years (or longer as required by contract/law).
12) Cash Activity (Current Position)
JabalPay is currently designed as a cashless platform (digital funding and payout rails). If cash acceptance or cash payout features are introduced, JabalPay will implement additional controls prior to launch of that feature.
13) Training
All relevant personnel and contractors receive AML/sanctions training:
- Before gaining access to production systems
- At least annually thereafter
- Whenever material changes occur (new corridors, new funding/payout methods, new partners)
Training covers:
- AML typologies and red flags relevant to remittance
- Sanctions screening and escalation
- Investigation documentation standards
- SAR confidentiality and no tipping off
Training completion is documented and retained.
14) Independent Review / Testing
JabalPay conducts independent testing at least annually and upon material change. Reviews may be conducted by:
- An external compliance consultant; or
- A qualified internal reviewer independent of daily AML operations
Review scope includes:
- Control design and operational effectiveness
- Monitoring rules and case quality
- Sanctions screening and hit resolution
- Recordkeeping and retrievability
- Partner oversight and adherence to contractual responsibilities
Findings are tracked to remediation with owners and due dates.
15) Third-Party / Partner Oversight
JabalPay performs risk-based due diligence and oversight of third parties and partners supporting AML-related functions, including:
- Contractual clarity (who performs KYC, screening, monitoring, reporting)
- SLA and incident reporting expectations
- Periodic performance/compliance reviews
- Evidence retention sufficient to support investigations and partner audits
16) Data Protection and Security (AML Evidence)
JabalPay protects customer and compliance data with:
- Least-privilege access controls and MFA
- Encryption in transit and at rest
- Tamper-evident logging and audit trails
- Retention and deletion controls aligned to legal/partner obligations
17) Exceptions, Breaches, and Remediation
Any exception to this Policy requires written approval by the BCO and CEO, with documented compensating controls.
Compliance breaches trigger:
- Immediate containment
- Root-cause analysis
- Corrective action plan and tracking
- Partner notification as required by contract or risk severity
18) Change Management
This Policy is reviewed at least annually and updated when there are material changes, including:
- New corridors or geographies
- New funding methods (e.g., cards)
- New payout rails
- Introduction of stablecoin settlement features
- New partners/vendors affecting compliance workflows
Appendix A — Red Flags (Non-Exhaustive)
- Structuring / repeated transactions just below thresholds
- Rapid pass-through activity
- Multiple unrelated recipients in short periods
- Repeated failed KYC attempts / identity inconsistencies
- Device/IP anomalies or multiple accounts tied to the same device
- Unusual reversal/chargeback/refund behaviors
- High-risk geography or sanctions nexus indicators
Appendix B — Escalation Workflow (High-Level)
- Alert generated (rule, manual report, partner escalation)
- Triage and severity assignment
- Investigation + evidence gathering
- Decision (close / restrict / suspend / terminate / escalate to partner for SAR consideration)
- Document outcome and update controls if needed
References (Selected)
- MSB AML program requirements (written program, officer, training, independent review; risk-based; allocation by agreement for agent relationships).
- MSB SAR triggers/threshold ($2,000), 30-day timing, 5-year retention, and confidentiality rules.
- Travel Rule recordkeeping and transmission requirements for funds transmittals ≥ $3,000.
- OFAC Framework for Compliance Commitments (risk-based sanctions compliance components and expectations).
