I. Introduction
Paynetics UK Ltd (“Paynetics”, “we” or “us”) is an Electronic Money Institution (EMI) authorised by the Financial Conduct Authority (“FCA”) in the United Kingdom (“UK”) to offer customers in the UK, either directly or through programme managers, e-money accounts with associated debit cards (both physical and virtual). Paynetics UK uses its parent company’s, Paynetics AD, infrastructure and technology for card issuing, acquiring and payment services to serve clients in the UK.
As a regulated entity in the UK, Paynetics is committed to detecting and preventing money laundering, terrorist financing and other financial crime activity. This financial crime manual (“Manual”) is to serve as the primary financial crime manual to safeguard against financial crime risk (“FCR”).
FCR is defined by Paynetics as per the below, and to be in line with the global regulators understanding and expectations of the same. It therefore includes:
Anti-Money Laundering (AML) or Money Laundering (ML) risk;
Combating Terrorist Financing (CTF) or Terrorist Financing (TF) risk;
Trade & Economic Sanctions (including proliferation finance);
Anti-Bribery & Corruption (ABC);
Fraud (internal and external); and
Tax Evasion.
The term “AML” may also be used throughout this document to reflect all 1-6 FCR items list above.
Any suspicion of any crime must be reported as an internal Suspicious Activity Report (“iSAR”) directly to Paynetics UK MLRO and deputy/equivalent. Failure to submit a SAR is a serious offence (‘Failure to Report’) and may result in both internal discipline and or criminal censure.
This manual provides general guidance intended to inform, advise, and support the development of financial crime prevention measures. It does not replace, override, or substitute Paynetics, or its partners established AML procedures. All policies, procedures, and other related documents must continue to follow the firm’s standard governance, review, and approval processes before implementation.
II. Money Laundering and Terrorism Financing
Money laundering is the process by which an individual or group seeks to legitimise criminal proceeds by disguising the illegal origin of the funds. Money is laundered in three stages:
In the initial stage, known as placement, the launderer seeks to introduce their illegal funds into the financial system. This may be done through a number of mechanisms, including by breaking up large amounts of cash into smaller sums which are deposited directly into a bank account.
In the second stage, known as layering, the launderer engages in a series of conversions or movements of the funds to distance them from their source, for example, by channelling the funds through the purchase and sale of investment instruments.
During the final stage, known as integration, the now ‘clean’ money is withdrawn from the account to be used for whatever purposes the person so wishes.
Terrorists regularly adapt how and where they raise and move funds and other assets in order to circumvent safeguards that jurisdictions have put in place to detect and disrupt this activity. Identifying, assessing, and understanding terrorist financing is an essential part of dismantling and disrupting terrorist networks, as well as the effective implementation of the risk-based approach of counter terrorist financing measures.
III. Risk-Based Approach
Taking a risk-based approach to combatting financial crime entails assessing the risks that Paynetics faces in relation to its clients, nature of business, and products and services, and applying control measures commensurate and appropriate to the determined level of those risks. It is important to therefore understand the risks inherent in our own business prior to conducting due diligence on our clients on a risk sensitive and case-by-case basis, to determine a complete risk profile of the customer. Paynetics does this by conducting formal risk assessments on its enterprise, distributors, acquirers, business, and clients.
It is not appropriate to apply a “one size fits all” approach to preventing money laundering, as each client is unique in their risk profile. By identifying the risks inherent in Paynetics’ activities, defining a risk-based approach by which Know Your Customer (“KYC”) and other due diligence checks will be conducted, we are better able to identify high-risk clients and apply measures suited to each situation. In doing so, Paynetics hopes to establish an effective AML control framework under which it may operate.
While this Manual has been designed to cover most situations, the Firm recognises the ever-evolving nature of the industry and the fact that new risks may arise which cannot be covered by this manual. As such, the manual is designed to allow for adequate flexibility to decide on the most effective ways to address such risks. All employees are expected to remain aware of potential AML risks in their day-to-day business and discuss any concerns with Compliance and/or Management.
IV. Systems & Controls – Overview
The Paynetics FCR Systems & Controls focus on the following 9-point Compliance Pillar Framework and supporting Programme, namely:
Risk Appetite
Governance Arrangements, including:
Senior Management Oversight arrangements (e.g., Boards and Committees overseeing FCR);
People suitability (location, seniority, reporting lines, experience, qualifications and similar);
Outsourced/Insourced FCR activities and oversight of the same; and
FCR IT systems landscape, selection, reliance, and use.
Risk Assessments:
Enterprise-Wide Risk Assessment;
Customer Risk Assessment (“CRA”).
Policies and Procedures
Training of Staff:
Required annual AML training for all staff and relevant contractors, and
Tailored training specific to the risks in the e-money industry.
Incident Management
Reporting Requirements (internal & external)
Monitoring & Testing
Data Management
V. Risk Appetite
This document seeks to recognise and implement the many and various legislative, regulatory and industry good practice requirements, rules and or standards (“requirements”), which include, but are not limited to, the requirements of:
UK Proceeds of Crime Act (as amended);
Various UK Terrorism Acts (as amended);
The UK Money Laundering Regulations;
FCA Handbook;
UK JMLSG.
The substantive offences which could relate to ML, TF and Sanctions may include, both criminal and or civil penalties for staff and or Paynetics. The typical offences include, but are not limited to:
Substantive offences of ML, e.g., transferring, concealing, disguising, converting, or removing criminal property to, from or within a country – this includes attempts in relation to substantive offences;
Facilitating another to acquire, retain, use or control criminal/terrorist property/assets;
Using or having possession of criminal/terrorist property/assets;
Failure to report offences;
Tipping off a person or party that a Suspicious Activity Report (SAR) has been made; and
Failing to have adequate procedures to mitigate FCR elements as required.
Paynetics believe that FCR poses significant risk to the world economy and will do its part to mitigate this wherever possible. As such, Paynetics maintains a zero-tolerance policy for knowingly breaching any applicable requirement of FCR or indeed any Paynetics FCR system and/or control.
This Manual is designed to mitigate and manage ML, TF & Sanctions risks by establishing and/or maintaining adequately designed and implemented systems and controls to mitigate the risk of the Paynetics platform being used to facilitate FCR.
All Paynetics key business partners and employees must comply with applicable principles of this Manual. We expect these partners to have similar systems and controls themselves.
English is the official language of Paynetics and all FCR Systems & Controls are documented and are to continue be documented in English (this includes customer services, complaints and or other areas that may be connected to future possible FCR). This also includes any Boards where FCR related items are discussed and/or approved.
VI. Definition of the Client
For the purposes of this Manual, it is essential to define who constitutes the “client”, as the application of KYC/KYB measures depends on this identification. The client differs depending on whether Paynetics is providing acquiring or issuing services, and the type of contractual relationship involved.
In acquiring, the client is the merchant that has a contractual relationship with Paynetics. CDD is performed on the merchant to verify identity, ownership structure, and beneficial owners, and to assess the AML risk of the relationship. End customers of the merchant are not considered clients for CDD purposes. In practice, this involves obtaining corporate documents, verifying directors and beneficial owners, reviewing the nature of the merchant’s business, and screening against sanctions, PEP, and adverse media lists. Transaction patterns may also be monitored to detect unusual activity.
In issuing, the client is typically the account holder, which may be a company or natural person. CDD is performed on the account holder to verify identity, ownership, control, and risk profile. The card user, who may be the same as the account holder or a third party, such as an employee, program participant, or end customer, is only subject to CDD if they are the contractual client. Where the cardholder is not the contractual client, verification focuses on the account holder. In practice, this involves collecting identification document, company registration documents, shareholder information, and beneficial owner details, screening all relevant parties, and ensuring contractual arrangements clearly define the responsibilities of the account holder. If a programme has card users which are not subject to CDD, this should be approved by Paynetics as part of the overall approval of the programme.
Examples of practical application: if a distributor issues cards directly to their end customers, those end customers are treated as clients, and full CDD is performed on them, including verifying identity documents and address information. In contrast, where cards are issued as part of an employee benefits program or airline compensation program, the employer or airline is the client, and CDD is performed on that organization; individual cardholders are not subject to CDD.
VII. Client Identification Programme
Understanding who our clients are, their nature of business, the jurisdiction in which they operate, and the source of their funds, enables the Firm to actively prevent the platform for being used for nefarious activities. Having a robust customer identification programme (“CIP”) is an essential component of global efforts to prevent financial crime and enables a firm to meet the know your customer (“KYC”) regulatory obligations.
At a minimum, CIP is the process by which Paynetics (or its programme manager on its behalf as part of an outsourced relationship) will implement:
a. Procedures to adequately identify and verify potential customers prior to engaging in any business relationship; and
b. Systems and controls to appropriately monitor existing customers.
For the purposes of this Manual, a client is the natural person or legal entity with whom Paynetics has established a business relationship. A business relationship is a business, professional or commercial relationship between a firm and a customer, which is connected to the business of the firm, and is expected by the firm at the time when contact is established to have an element of duration.
Subject to any exceptions, which will be assessed by the MLRO on a case-by-case basis, CIP must be completed prior to the establishment of a customer relationship. As such, no entity may be admitted to Paynetics prior to completion of customer due diligence (“CDD”).
Customer Due Diligence
By conducting customer due diligence, Paynetics will seek to identify who the client is, what is the nature and purpose of the proposed business relationship and verify this information against appropriate documentary evidence. The principle underlying these procedures is to obtain accurate, timely and adequate information to gain an insight into the identity and practices of our clients. Should a client refuse to comply with the onboarding requirements, no transactions or other business activities may be carried out.
Paynetics may impose different standards of due diligences on its clients: simplified, standard, or enhanced due diligence. The nature of the CDD will be determined by the risk profile of the client, as determined by the Client Risk Assessment (“CRA”) to be conducted during the onboarding process.
Standard due diligence is the base level due diligence that the majority of clients will undergo when being onboarded to the firm. All high-risk clients will be subjected to enhanced due diligence.
All prospective clients of Paynetics will be subject to CDD processes, defined by the specific customer type that Paynetics will be facing and the standard of due diligence required, as decided by the client’s risk rating.
The nature of information required to complete CDD will be determined by the entity type and the nature of the relationship with the entity. These matrices will similarly be used by the onboarding analyst to ensure that all requirements have been captured.
Identifying the Client
Paynetics’ clients will be natural persons or corporate clients. Understanding who our client is requires us to take reasonable measures to identify those, including their beneficial ownership and/or significant control (for legal entities). “Beneficial owner” refers to the natural person(s) who ultimately owns or controls a customer and/or the natural person on whose behalf a transaction is being conducted. It also includes those persons who exercise ultimate effective control over a legal person or arrangement. Where the customer is a natural person, the customer is the beneficial owner and no further identification is required.
Paynetics will seek to identify the ultimate natural persons who ultimately own and control (whether directly or indirectly) the customer. In instances that a client is a subsidiary of a company that is either a) publicly listed on a recognised regulated market, or b) regulated by a recognised National Competency Authority, the requirement to identify a natural person is satisfied by verifying the relationship between the parent entity and subsidiary, and the parent entity’s regulated or listed status.
Determining the identity of the beneficial owner will depend on the legal structure of the entity. For example, the beneficial owner of a private corporate body is normally an individual who ultimately owns or controls 25% or more of the body corporate or partnerships of the customer. Control or ownership can be exercised through direct or indirect holdings and includes individuals who ‘otherwise exercise significant influence or control over the body corporate’. In practice, this means starting with a search on Companies House to review the register of Persons with Significant Control (PSC), examining shareholder information, and corporate documents such as share registers, articles of association, or partnership agreements. Where indirect ownership is suspected, it may also involve tracing ownership through parent or holding companies until the natural person(s) with ultimate ownership or control are identified.
In line with standard industry practice, the identity of a beneficial owner must be verified using documents or information obtained from a reliable source that is independent of the customer. For onboarding purposes, documents issued by a reliable source (such as a government authority) will be accepted even if provided to the Firm by the client. Reliable sources include official company registries (e.g., Companies House extracts, certificate of incorporation, register of Persons with Significant Control), constitutional documents (e.g., memorandum and articles of association, partnership agreements, trust deeds), official shareholder or shareholding registers, annual returns or confirmation statements, and filings with relevant regulators. Where necessary, additional confirmation may be sought from financial statements, notarial certifications, or equivalent official documentation.
Nature of Business
Paynetics will seek to understand the nature and purpose of the proposed business relationship to ensure it is in line with the firm’s expectations and to provide a basis for ongoing monitoring. Based on the conclusion of an CRA, the firm will look to obtain information relating to:
Nature and details of the customer;
Record of residential/registered/trading address;
The expected source and origin of the funds to be used in the relationship (when applicable);
The origin of the initial and ongoing source(s) of wealth and funds (when applicable);
The various relationships between signatories and with underlying beneficial owners;
The anticipated level and nature of the activity that is to be undertaken through the relationship.
Source of Wealth and Funds
Paynetics is expected to establish the sources of wealth and funds of their high-risk clients. ‘Source of wealth’ describes how a customer or beneficial owner ‘acquired their total wealth’. ‘Source of funds’ refers to the ‘origin of the funds involved in the business relationship or occasional transaction’.
VIII. Simplified Due Diligence (“SDD”)
There may be circumstances where simplified due diligence (SDD) can be applied. However, this is not the standard approach of Paynetics UK, and written consent from the MLRO must be obtained before SDD is applied. Such customers, who meet the following profile, may then be in scope for a simplified due diligence process, under which the firm may adjust the quantity, quality, timing, or type of CDD measures being applied to a prospective client. SDD may be applied for clients that are:
Regulated financial institutions:
Regulated by a recognised national competency authority in a low-risk country; and
Subject to the requirements of the UK MLRs or equivalent.
Listed on a regulated market and subject to stringent public disclosures and audits.
Regardless of whether a client meets the above criteria, at the direction of the MLRO, Compliance will exercise discretion as to whether to apply SDD measures, in particular if there are any reasonable grounds to suspect nefarious activities.
Simplified due diligence is not an exemption from conducting CDD, nor from conducting ongoing monitoring, but rather allows for a level of CDD to be carried out commensurate to the risks presented. The information obtained through this process must enable Paynetics to be reasonably satisfied that no further information is required and additionally facilitate appropriate monitoring of the business relationship.
IX. Standard Customer Due Diligence
Standard customer due diligence is applied for all natural persons and legal entities which are assessed as low and medium risk in the CRA. During CDD, Clients will be requested to provide certain information at the beginning of a new relationship. The purpose is to obtain a first insight into the makeup of the client by identifying their legal form, nature of business and ownership structure (when applicable). This will allow the Firm to determine the information that will be required to complete KYC in the first instance, based on key client information.
At a minimum, the questions will include:
Identifying the customer and verifying their identity by obtaining and checking official documents. In practice, this involves requesting government-issued photo identification (such as a valid passport, national identity card, or driving licence). For corporate customers, this will also include company registry extracts, certificate of incorporation, and details of directors and shareholders;
Identifying the UBOs and taking reasonable measures to verify the identity thereof, including measures to understand the ownership and control structure of the customer;
Ongoing monitoring of established business relationship and transaction monitoring.
CDD on Natural Persons
Paynetics identifies and verifies the identity of the customer who is a natural person, which includes legal representatives (directors of legal entities), authorised signatory or sole proprietor, by collecting the data and documents described below. The collected information is stored in the customer file and should, at a minimum, contain the following:
Natural Person (incl. legal representatives) | 1. Full name. 2. Date and place of birth. 3. An official personal identification number or another unique identifier stated in an official identity document which has not expired, and which bears a photograph of the customer. 4. Country of permanent residence and address (a post box number is not sufficient). 5. Email. |
Sole Proprietor | 1. Full name of the person and the company under which they do business. 2. Registered address and trading address. 3. Business activity (indicate the main activity). 4. Date and place of birth of the owner. 5. Company number or other unique identification number. 6. Email. 7. An official personal identification number or another unique identifier stated in an official identity document which has not expired, and which bears a photograph of the natural person. 8. Country of permanent residence and address of the sole proprietor (a post box number is not sufficient). |
Authorised Signatory | 1. Full name. 2. Date and place of birth. 3. An official personal identification number or another unique identifier stated in an official identity document which has not expired, and which bears a photograph of the customer. 4. Country of permanent residence and address (a post box number is not sufficient). 5. Professional activity/occupation. 6. Email. |
In addition to the collection of the above, it is mandatory to perform the following checks:
PEPs and RCAs.
Sanctions, covering sanctions lists issued by the United States (OFAC), United Nations (UN), United Kingdom (HMT), and European Union (EU).
Adverse Media.
Document validity and integrity checks, to confirm that the documents provided are genuine, current, and have not been tampered with. In practice, this is done by inspecting security features (like holograms or watermarks), checking expiry dates, ensuring consistency with other documents, and verifying against official sources where possible. For UK documents, this can include:
Checking passports for holograms, UV features, and correct photo placement.
Verifying driving licences against the official format and expiry date.
Cross-checking documents against the official UK gov websites:
CDD on Legal Entities
Legal entities are identified and verified by obtaining, as a minimum, the following:
Official extract of the UK Companies House, include the company current status.
A copy of the memorandum of association, incorporation act, or other similar document.
Registered and trading address of the entity.
ID card or Passport, as a proof of identity of the Directors and Authorised representatives.
ID card or Passport, as a proof of identity of the Ultimate Beneficial Owners
Ultimate Beneficial Owners declaration, if applicable.
Power of Attorney, if applicable, which must be notarized/officially certified expressly indicating representative authority.
Legal Entity | 1. Company name. 2. Company number or another ID number by which it is entered in the relevant register. 3. Registered and trading address. 4. Current business activity and the purpose and nature of the business relationship to be established. 5. The names of the natural persons exercising control, management or representation. 6. The ownership structure, management and control of the customer. 7. Companies house extract and copy of the incorporation act. 8. E-mail address. |
Ultimate Beneficiary Owner (“UBO”) | 1. Information from the relevant register and the documents required for its identification. 2. The documents and reports submitted for identification of the legal entity, as well as other documents, from which the UBO can be identified, the nature and type of ownership or control, and there is no doubt that the person for whom the information received under point 1 is the actual UBO. 3. UBO declaration form, if applicable, when the information collected by the means referred to in points 1 and 2 is insufficient to identify the natural person who is the beneficial owner of the customer-legal entity. 4. For any individual who is the UBO of a customer - legal entity, the data for identification for natural persons is also collected as set forth in the table above. |
In addition to the collection of the above, it is mandatory to perform the following checks:
At least one director and all UBOs holding 25% or more of the shares will have their identity verified using an online ID&V solution. If online verification is not possible, the director or UBO may provide photos of their ID document, which the Onboarding Analyst will then manually check to confirm the document’s validity.
Company documents will be verified against public registers.
Screenings to be performed on the company, UBOs, and directors of the company:
PEPs and RCAs;
Sanctions, covering sanctions lists issued by the United States (OFAC), United Nations (UN), United Kingdom (HMT), and European Union (EU);
Adverse Media.
X. Enhanced Due Diligence (“EDD”)
In contrast to SDD, firms are required to take additional or enhanced measures to manage and mitigate situations where a customer has been assessed to carry a higher money laundering risk. Industry guidelines, such as the JMLSG, outline specific high-risk circumstances where EDD measures are required. Paynetics will follow these guidelines in all jurisdictions to which it may onboard clients, as this has been recognised to be industry best practice:
In any case identified by the firm under its risk assessment;
In any business relationship or transaction with a person established in a high-risk third country, in accordance with the UK list of high-risk third countries and FATF grey list;
If Paynetics has determined that a customer or potential customer is a PEP, or a family member or known close associate of a PEP.
EDD measures must be proportionate to the risks identified and must specifically further examine the background and purpose of the relationship; and increase the degree and nature of monitoring of the business relationship. Examples of EDD measures include:
Obtaining, and where appropriate verifying, additional information on the customer and updating more regularly the identification of the customer and any beneficial owner. In practice, this includes checking identification documents such as passports, driving licences, or national ID cards are valid and current, requesting information on residential/registered address, reviewing corporate information for legal entities including Companies House extracts and registers of directors and shareholders, and verifying ownership or control structures through share registers, partnership agreements, or trust deeds. Reliable external sources such as government registries or credit reference agencies may also be used.
Obtaining additional information on the intended nature of the business relationship;
Obtaining information on the source of funds or source of wealth of the customer;
Conducting enhanced monitoring of the business relationship, by increasing the number and timing of controls applied, and selecting patterns of transactions that need further examination. In practice, this includes reviewing the client’s profile once a year, and include in the review the transaction histories, setting thresholds for unusual activity, investigating atypical or high-risk transactions, and applying additional controls or verification steps when needed to ensure ongoing compliance with AML requirements.
Paynetics’ MLRO retains the discretion to classify a client as high-risk and apply Enhanced Due Diligence (EDD) if they determine additional scrutiny is necessary. In practice, this means the MLRO may require more detailed verification of the customer’s identity, review of source of funds or wealth, more frequent monitoring of transactions, and additional checks on beneficial owners or corporate structures to ensure that any potential AML risks are properly managed.
XI. Identification and Verification Methods
The verification procedures must be completed, and satisfactory evidence of the new applicant's identity must be obtained, before the commencement of the business relationship with the customer.
In case of remote identification of the applicant, including the identification of natural persons, and of the legal representatives, proxies and other natural persons subject to identification in relation to the identification of a customer - legal entity or another legal arrangement, the identification is done by presenting a copy of an official identity document.
When establishing a business relationship, the collected identification data shall be verified using the following methods:
Provision of a picture of the ID card or passport. The document must be issued by the government, be valid (i.e., not expired), and contains the full name of the person, date of birth, and photograph.
Use of technical means to verify the authenticity of the submitted document (through an external technological partner for the analysis of the customer's biometric data).
In addition to the above, it is mandatory to perform checks for sanctions, PEPs and adverse media via a technical vendor.