KYC / KYB POLICY

Last Updated: September 30, 2025

1. Purpose & Scope

This Know-Your-Customer / Know-Your-Business Policy (“KYC/KYB Policy”) sets out how FP Solutions Inc. (trading as 4payments) identifies and verifies all private and corporate clients before granting access to its card-issuing and payment services.

The Policy applies to:

  • every onboarding or re-onboarding event;

  • any subsequent change requiring re-verification (see §5);

  • all staff, contractors and third-party service providers that perform KYC/KYB tasks on the Company’s behalf.

2. Regulatory References

  • Law No. 23 of 27 April 2015 (Panama)

  • FATF Recommendations 10, 22 & 24 (customer due diligence, DNFBPs, beneficial ownership)

  • EU AMLD 6, GDPR (for data protection) – followed as best practice

  • FINCEN/OFAC, UN, HMT, EU sanctions lists – for screening

3. Definitions

  • Customer – any natural or legal person applying for or using 4payments products.

  • Verification – collecting documents/information and authenticating their validity.

  • UBO – an individual who ultimately owns or controls ≥ 25 % of a legal entity.

  • High-risk jurisdiction – country rated High or Very High by FATF, EU, or Basel AML Index.

4. Individual Customers (B2C)

Tier

Cumulative Volume per calendar year

Minimum Data & Documents

Refresh Frequency

Tier 0 (Basic)

≤ €1,000

• Full name, date of birth, nationality • Verified e-mail address

24 months

Tier 1 (Standard)

≤ €15,000

• Tier 0 data • Government-issued photo ID (verified via liveness + OCR) • Biometric selfie match

12 months

Tier 2 (EDD)

> €15,000 or high-risk jurisdiction

• Tier 1 data • Proof of residential address ≤ 3 months old • Proof of source of funds

6 months

Screening: All individuals are screened at onboarding and daily thereafter against global sanctions, PEP and adverse-media databases (ComplyAdvantage).

Biometrics: Facial templates are AES-256-encrypted, stored 5 years post-account closure; processing based on explicit consent (GDPR Art 9 §2 (a)).

5. Corporate Customers (B2B – KYB)

Mandatory documentation

  1. Certificate of incorporation / extract from commercial register (not older than 3 months).

  2. Memorandum & Articles / Charter.

  3. Registered office address proof.

  4. List of directors and senior managers.

  5. UBO identification: passport + address proof for each ≥ 25 % owner.

  6. Nature of business and expected transactional profile.

  7. Where applicable: recent financial statements, regulatory licence, or tax ID.

Verification steps

  • Cross-check corporate registration via official registry/API.

  • Validate director/UBO IDs and screen them like individual clients.

  • Obtain signed corporate KYC form confirming ownership structure.

  • Conduct independent media search for adverse information.

Refresh cycles

  • Low-risk entities – every 24 months.

  • Medium risk – every 12 months.

  • High risk (FIs, crypto services, NGOs, shell companies) – every 6 months.

6. Risk-Based Categorisation

Risk Factor

Low

Medium

High

Jurisdiction

FATF “Compliant”

FATF “Largely Compliant”

FATF “High-Risk / Grey List”

Industry

Retail, SaaS

Fin-tech, Affiliate marketing

Crypto services, Gambling

Customer Type

Salaried individual

SME with simple structure

Complex ownership, Shell

PEP Status

None

PEP or close associate

The highest factor determines the overall risk rating. High-risk customers require Enhanced Due Diligence (EDD) sign-off by a senior compliance officer.

7. Triggers for Re-Verification

  • Name, address, or corporate structure change.

  • Sudden or sustained transaction volume increase ≥ 30 % above declared profile.

  • Adverse-media hit, sanctions update, or PEP status change.

  • Document expiry (passport/ID/registration extract older than allowed).

  • System alert from transaction-monitoring rules (details handled in AML Policy).

Clients must provide updated documents within five (5) business days or their account is suspended.

8. Data Retention & Protection

  • All KYC/KYB files (digital or hard copy) are stored ≥ 5 years after the relationship ends.

  • Access is limited to authorised staff via role-based controls; logs are kept for 7 years.

  • Data subjects can request access/correction in line with GDPR Chapter III.

9. Roles & Responsibilities

  • Compliance Officer – owns this Policy, approves procedures, conducts quality checks.

  • KYC Analysts – perform onboarding, screening, periodic reviews, escalate red flags.

  • IT & Security – maintain secure storage and access control.

  • All Employees – must immediately report any discrepancy or document forgery.

10. Training & Quality Assurance

  • New hires: mandatory KYC module within first 2 weeks.

  • Annual refresher for all relevant staff.

  • 10 % of all files undergo quarterly quality sampling; error rate target ≤ 2 %.

11. Policy Review

The Compliance Officer reviews this Policy at least annually or earlier if regulations, risk appetite, or products change. Proposed amendments require approval by the Board of Directors.

Contact: compliance@4payments.io

‹ AML POLICY