4payments - KYC / KYB POLICY

(Stand-alone document – AML procedures are handled in a separate policy)

Version 1.0 – 24 June 2025

1. Purpose & Scope

This Know-Your-Customer / Know-Your-Business Policy (“KYC/KYB Policy”) sets out how FP Solutions S.A. (trading as 4payments) identifies and verifies all private and corporate clients before granting access to its card-issuing and payment services.

The Policy applies to:

every onboarding or re-onboarding event;

any subsequent change requiring re-verification (see §5);

all staff, contractors and third-party service providers that perform KYC/KYB tasks on the Company’s behalf.

2. Regulatory References

Law No. 23 of 27 April 2015 (Panama)

FATF Recommendations 10, 22 & 24 (customer due diligence, DNFBPs, beneficial ownership)

EU AMLD 6, GDPR (for data protection) – followed as best practice

FINCEN/OFAC, UN, HMT, EU sanctions lists – for screening

3. Definitions

Customer – any natural or legal person applying for or using 4payments products.

Verification – collecting documents/information and authenticating their validity.

UBO – an individual who ultimately owns or controls ≥ 25 % of a legal entity.

High-risk jurisdiction – country rated High or Very High by FATF, EU, or Basel AML Index.

4. Individual Customers (B2C)

Tier

Cumulative Volume per calendar year

Minimum Data & Documents

Refresh Frequency

Tier 0 (Basic)

≤ €1,000

• Full name, date of birth, nationality • Verified e-mail address

24 months

Tier 1 (Standard)

≤ €15,000

• Tier 0 data • Government-issued photo ID (verified via liveness + OCR) • Biometric selfie match

12 months

Tier 2 (EDD)

> €15,000 or high-risk jurisdiction

• Tier 1 data • Proof of residential address ≤ 3 months old • Proof of source of funds

6 months

Screening: All individuals are screened at onboarding and daily thereafter against global sanctions, PEP and adverse-media databases (ComplyAdvantage).

Biometrics: Facial templates are AES-256-encrypted, stored 5 years post-account closure; processing based on explicit consent (GDPR Art 9 §2 (a)).

5. Corporate Customers (B2B – KYB)

Mandatory documentation

Certificate of incorporation / extract from commercial register (not older than 3 months).

Memorandum & Articles / Charter.

Registered office address proof.

List of directors and senior managers.

UBO identification: passport + address proof for each ≥ 25 % owner.

Nature of business and expected transactional profile.

Where applicable: recent financial statements, regulatory licence, or tax ID.

Verification steps

Cross-check corporate registration via official registry/API.

Validate director/UBO IDs and screen them like individual clients.

Obtain signed corporate KYC form confirming ownership structure.

Conduct independent media search for adverse information.

Refresh cycles

Low-risk entities – every 24 months.

Medium risk – every 12 months.

High risk (FIs, crypto services, NGOs, shell companies) – every 6 months.

6. Risk-Based Categorisation

Risk Factor

Low

Medium

High

Jurisdiction

FATF “Compliant”

FATF “Largely Compliant”

FATF “High-Risk / Grey List”

Industry

Retail, SaaS

Fin-tech, Affiliate marketing

Crypto services, Gambling

Customer Type

Salaried individual

SME with simple structure

Complex ownership, Shell

PEP Status

None

—

PEP or close associate

The highest factor determines the overall risk rating. High-risk customers require Enhanced Due Diligence (EDD) sign-off by a senior compliance officer.

7. Triggers for Re-Verification

Name, address, or corporate structure change.

Sudden or sustained transaction volume increase ≥ 30 % above declared profile.

Adverse-media hit, sanctions update, or PEP status change.

Document expiry (passport/ID/registration extract older than allowed).

System alert from transaction-monitoring rules (details handled in AML Policy).

Clients must provide updated documents within five (5) business days or their account is suspended.

8. Data Retention & Protection

All KYC/KYB files (digital or hard copy) are stored ≥ 5 years after the relationship ends.

Access is limited to authorised staff via role-based controls; logs are kept for 7 years.

Data subjects can request access/correction in line with GDPR Chapter III.

9. Roles & Responsibilities

Compliance Officer – owns this Policy, approves procedures, conducts quality checks.

KYC Analysts – perform onboarding, screening, periodic reviews, escalate red flags.

IT & Security – maintain secure storage and access control.

All Employees – must immediately report any discrepancy or document forgery.

10. Training & Quality Assurance

New hires: mandatory KYC module within first 2 weeks.

Annual refresher for all relevant staff.

10 % of all files undergo quarterly quality sampling; error rate target ≤ 2 %.

11. Policy Review

The Compliance Officer reviews this Policy at least annually or earlier if regulations, risk appetite, or products change. Proposed amendments require approval by the Board of Directors.

Contact: compliance@4payments.io