AML/KYC Policy

ZIMMA SOLUTIONS (PRIVATE) LIMITED

ANTI-MONEY LAUNDERING, COUNTER-TERRORISM FINANCING

AND KNOW YOUR CUSTOMER POLICY

Effective Date: 07 April 2026

Last Updated: 07 April 2026

Version: 1.0

SECP Incorporation No: 0331469 | NTN: I782094

plot no 01-B sector, Street 10, G-14/4 G 14/4 G-14, Islamabad, Pakistan

hello@zimma.com.pk | www.zimma.com.pk

IMPORTANT NOTICE

This Anti-Money Laundering, Counter-Terrorism Financing, and Know Your Customer Policy ("Policy") sets out the framework through which Zimma Solutions (Private) Limited identifies, assesses, manages, and reports the risks of money laundering, terrorism financing, and proliferation financing that may arise in connection with its escrow and buyer protection services. This Policy is incorporated by reference into Zimma's Terms of Service and is binding on all Users of the Zimma platform.

Zimma Solutions (Private) Limited is a SECP-registered private limited company. It is not an Electronic Money Institution (EMI) licensed by the State Bank of Pakistan. However, as a SECP-registered entity engaged in financial intermediation through the provision of escrow services, Zimma is subject to the Anti-Money Laundering Act, 2010, the SECP AML/CFT Regulations, 2018, and all associated guidance issued by competent authorities.

By registering on the Zimma platform and participating in any escrow transaction, each User acknowledges that they are subject to the obligations imposed by this Policy and consents to the identity verification, screening, and monitoring activities described herein.

1. PURPOSE AND SCOPE

1.1 Purpose

The purpose of this Policy is to:

Establish a robust and risk-based framework for the prevention of money laundering (ML), terrorism financing (TF), and proliferation financing (PF) in connection with Zimma's escrow services;
Define the Know Your Customer (KYC) processes that all Users must complete before creating or participating in any escrow transaction;
Set out Zimma's obligations to screen users and transactions against designated and proscribed persons lists;
Establish Zimma's obligations to monitor transactions, file regulatory reports, and retain records in compliance with Applicable Laws;
Protect Zimma, its Users, and the integrity of Pakistan's financial system from misuse for financial crime.

1.2 Scope

This Policy applies to:

All individuals seeking to register on the Zimma platform as Buyers or Sellers;
All escrow transactions processed through the Zimma platform regardless of amount;
All employees, directors, officers, contractors, and third-party service providers of Zimma who are involved in onboarding users, processing transactions, or handling financial data;
The use of AWS Rekognition for biometric identity verification and Veevo Tech for OTP delivery in connection with the KYC process.

1.3 Relationship to Other Zimma Policies

This Policy should be read together with Zimma's Terms of Service, Privacy Policy, Dispute Resolution Policy, and Refund Policy. Where a conflict arises between the requirements of this Policy and any other Zimma policy, the requirements of this Policy shall prevail.

2. DEFINITIONS

Capitalized terms used in this Policy carry the meanings assigned to them in Zimma's Terms of Service unless otherwise defined below.

"AML/CFT" means Anti-Money Laundering and Counter-Terrorism Financing.

"AWS Rekognition" means the biometric facial recognition service provided by Amazon Web Services, Inc., used by Zimma during KYC to compare a User's live selfie against the photograph on their CNIC.

"Beneficial Owner" means the natural person(s) who ultimately own or control a User, or on whose behalf a transaction is being conducted, including those who exercise ultimate effective control.

"Business Relationship" means any ongoing or transactional relationship between Zimma and a User created upon the User's registration on the Zimma platform.

"CDD" means Customer Due Diligence — the process of identifying and verifying the identity of a User and understanding the nature and purpose of the Business Relationship.

"CTR" means a Currency Transaction Report filed with the Financial Monitoring Unit in relation to electronic transactions equalling or exceeding the prescribed reporting threshold.

"Designated Person" means any individual or entity designated or proscribed by the Government of Pakistan under the Anti-Terrorism Act, 1997, or by the United Nations Security Council under applicable UNSC Resolutions.

"EDD" means Enhanced Due Diligence — additional measures applied to Users or transactions assessed as high risk.

"FMU" means the Financial Monitoring Unit of Pakistan, established under Section 6 of the AML Act 2010.

"KYC" means Know Your Customer — the identity verification process consisting of CNIC verification, biometric facial matching via AWS Rekognition, and OTP confirmation via Veevo Tech.

"ML" means Money Laundering as defined in Section 2 of the AML Act 2010.

"NADRA" means the National Database and Registration Authority of Pakistan.

"PEP" means a Politically Exposed Person — an individual who is or has been entrusted with a prominent public function, including heads of state, senior politicians, senior government officials, judicial officers, senior military officers, senior executives of state-owned enterprises, and senior officials of political parties, together with their family members and close associates.

"Predicate Offence" means an offence whose proceeds may be the subject of money laundering, as listed in the Schedule to the AML Act 2010.

"Risk-Based Approach" means an approach to AML/CFT compliance in which resources and controls are allocated proportionately to the level of money laundering and terrorism financing risk identified.

"STR" means a Suspicious Transaction Report filed with the FMU under Section 7 of the AML Act 2010.

"TF" means Terrorism Financing as defined under the Anti-Terrorism Act, 1997 and the AML Act 2010.

"Veevo Tech" means the SMS gateway service provider used by Zimma for delivery of OTPs via SMS using the sender ID "ZIMMA."

3. LEGAL AND REGULATORY FRAMEWORK

Zimma's AML/CFT and KYC obligations are derived from the following laws and regulatory frameworks:

a. Anti-Money Laundering Act, 2010 ("AML Act")

Section 2: Definitions of money laundering and terrorism financing;
Section 3: Offence of money laundering and associated penalties;
Section 7: Obligations on reporting entities to maintain records, identify customers, and file STRs with the FMU;
Section 8: Obligation to file CTRs;
Section 9: Tipping-off prohibition;
Section 26: FMU's powers of inspection and direction.

b. SECP AML/CFT Regulations, 2018

Governing the AML/CFT obligations of SECP-regulated entities, including customer due diligence, enhanced due diligence, transaction monitoring, and reporting obligations applicable to Zimma as a SECP-registered company engaged in financial intermediation.

c. Anti-Terrorism Act, 1997 ("ATA 1997")

Section 11A and Schedule IV: Proscribed organizations and designated individuals whose assets must be frozen and to whom services must not be rendered;
Obligations relating to the identification and reporting of terrorism financing.

d. Payment Systems and Electronic Fund Transfers Act, 2007 ("PS&EFT Act 2007")

Section 7: Obligation to retain complete records of electronic transactions;
Section 70: Confidentiality obligations in relation to consumer transaction data.

e. NADRA Ordinance, 2000

Governing Zimma's use of CNIC data for identity verification, including the permissible purposes for and restrictions on the use of NADRA-issued identity credentials.

f. Prevention of Electronic Crimes Act, 2016 ("PECA 2016")

Sections 3, 4, and 14 are directly applicable to the detection and reporting of fraudulent KYC submissions, identity fraud, and offences committed in connection with electronic transactions.

g. FATF Recommendations

Pakistan is a member of the Asia/Pacific Group on Money Laundering (APG) and has committed to implementing the FATF's 40 Recommendations. Zimma voluntarily aligns its AML/CFT framework with FATF best practice, including the Risk-Based Approach, beneficial ownership requirements, and suspicious transaction reporting standards.

h. United Nations Security Council Resolutions

Relevant UNSC Resolutions imposing targeted financial sanctions and asset freezes, implemented in Pakistan through the ATA 1997 and associated schedules, including Resolutions 1267 (1999), 1373 (2001), 1988 (2011), and 1989 (2011).

4. ZIMMA'S AML/CFT RISK PROFILE

4.1 Inherent Risks

Zimma operates Pakistan's first dedicated escrow and buyer protection service. This business model presents the following inherent AML/CFT risk characteristics:

Fund-holding risk: Zimma holds PKR funds on behalf of third parties. If those funds represent the proceeds of crime, Zimma could inadvertently facilitate the laundering of those proceeds by transferring them to a Seller in an apparently legitimate transaction.
Anonymity risk: Online platforms connecting buyers and sellers create opportunities for anonymous or pseudonymous actors to use commercial transactions as a vehicle for value transfer.
Layering risk: An escrow arrangement could be used as a layering mechanism — for example, where an actor pays funds to a nominated Seller who is in fact a controlled party, using a fictitious commercial transaction as cover.
Identity fraud risk: Users may submit fabricated, stolen, or misappropriated CNIC documents during the KYC process in an attempt to circumvent identity controls.
Prohibited goods risk: The escrow platform could be used to facilitate the sale of prohibited goods or services where the true nature of the underlying transaction is concealed in the Transaction Terms.

4.2 Risk Mitigation Through Zimma's Design

Zimma's escrow model contains inherent risk mitigants:

Mandatory KYC before any transaction: No User may participate in an escrow transaction without completing CNIC verification and biometric matching. This eliminates anonymous transactions.
Biometric verification: AWS Rekognition facial comparison during onboarding significantly reduces the risk of identity fraud by confirming that the person registering is the genuine CNIC holder.
PKR-only, Pakistan-only transactions: Zimma does not support cross-border transactions or foreign currency, limiting exposure to cross-border typologies.
Segregated escrow funds: Escrow Funds are held in a dedicated UBL bank account not co-mingled with Zimma's operating funds, creating a clear audit trail.
Immutable transaction records: All escrow events are logged with timestamps and are irrevocable once completed.

4.3 Risk Categorization and the Risk-Based Approach

Zimma adopts a Risk-Based Approach to AML/CFT compliance. Users and transactions are categorized by risk level — Standard Risk, Elevated Risk, and High Risk — and the level of due diligence applied is proportionate to the risk level assigned.

Risk Category | Criteria | Due Diligence Level
Standard Risk | Identity fully verified; transaction patterns consistent with stated purpose; no adverse screening results; no suspicious indicators. | Standard CDD (Section 7): Full KYC completion + standard transaction monitoring.
Elevated Risk | Inconsistency in transaction value vs occupation; unusual frequency for new user; vague Transaction Terms; prior dispute history suggesting abuse. | Enhanced monitoring + compliance review. EDD may be triggered at compliance officer discretion.
High Risk / EDD | PEP; prior STR flag; sanctions screening match or near-match; transactions consistent with known ML/TF typologies; refusal of CDD; high-value transaction. | Full EDD (Section 8): Source of funds documentation + senior management approval + enhanced monitoring + periodic review.

5. CUSTOMER ACCEPTANCE POLICY

5.1 Who Zimma Will Onboard

Zimma will onboard as registered Users only those individuals who:

Are natural persons aged eighteen (18) years or above;
Are Pakistani nationals holding a valid CNIC issued by NADRA;
Successfully complete the full KYC process described in Section 6, including biometric verification via AWS Rekognition;
Are not Designated Persons under the ATA 1997 or any applicable UNSC Resolution;
Are not subject to any sanctions, court order, or regulatory direction prohibiting their use of Zimma's services;
Can provide accurate and truthful registration information.

5.2 Categories of Users Zimma Will Not Onboard

Zimma will not onboard, and will close any existing account of, a User who:

Cannot be verified through the CNIC-based KYC process — for example, because the CNIC is expired, unreadable, or does not match the live selfie through AWS Rekognition's facial comparison;
Is identified as a Designated Person through sanctions screening at any stage;
Has provided false, fabricated, or misappropriated identity documentation — a matter that may also be referred to law enforcement under PECA 2016;
Is a legal entity — Zimma's escrow service is available to natural persons only; legal entities, corporations, and partnerships may not register as Users;
Appears, based on available information, to present an unacceptably high risk of money laundering or terrorism financing that cannot be mitigated by enhanced due diligence.

5.3 Anonymous Accounts Prohibited

Zimma does not permit anonymous accounts, accounts held under fictitious names, or accounts opened in the name of another person. Each account must be registered under the User's own verified legal name as it appears on their CNIC.

5.4 One Account Per CNIC

Zimma does not permit more than one registered account per CNIC. Where duplicate accounts are detected, all associated accounts will be suspended pending investigation and the matter will be escalated for AML review.

6. KNOW YOUR CUSTOMER (KYC) — IDENTITY VERIFICATION PROCESS

6.1 Mandatory Pre-Transaction KYC

No User may create, initiate, or participate in any escrow transaction on the Zimma platform without first completing the KYC process to Zimma's satisfaction. Account registration without KYC completion grants access to the platform only in a limited, non-transactional capacity.

6.2 KYC Data Collected

During the KYC process, Zimma collects the following minimum information from each User, consistent with the customer information requirements of the SECP AML/CFT Regulations and CDD standards:

Full legal name as it appears on the CNIC;
Father's name or spouse's name as applicable;
CNIC number (13-digit national identification number);
Digital image of the front of the CNIC;
Digital image of the back of the CNIC;
CNIC issue date and expiry date;
Residential address;
Mobile phone number (registered as the primary identifier and OTP delivery channel);
Email address;
Date of birth;
Live selfie image (for biometric facial comparison via AWS Rekognition).

6.3 Two-Factor Authentication in KYC

Consistent with two-factor authentication best practice, Zimma's KYC process uses two independent verification factors:

Factor 1 — Something the User Is (Biometric): AWS Rekognition performs an automated comparison of the User's live selfie against the photograph on their CNIC, generating a confidence score. Verification is accepted where the confidence score meets or exceeds Zimma's defined threshold.

Factor 2 — Something the User Has (Possession): An OTP is delivered to the User's registered mobile phone number via SMS through Veevo Tech (sender ID: ZIMMA), confirming that the User has possession of the phone number associated with the CNIC registration.

6.4 CNIC Authenticity and NADRA Verification

To the extent technically available and permissible under the NADRA Ordinance 2000, Zimma will use NADRA's CNIC verification services (NADRA VeriSys or equivalent) to confirm the authenticity of the CNIC number and registered details submitted by the User. Where NADRA verification is not available for a particular submission, Zimma relies on the biometric matching results from AWS Rekognition and its own document review procedures.

6.5 Pre-Screening Before Account Activation

Before activating any User account or allowing a User to initiate their first escrow transaction, Zimma will screen the User's identity against:

The list of designated and proscribed persons maintained under Schedule IV of the ATA 1997;
Applicable UNSC sanctions lists;
Any other sanctions list that Zimma is required by law or regulatory direction to screen against.

If a match or potential match is identified, the User's account will not be activated and the matter will be escalated for review in accordance with Section 11.

6.6 KYC Completion Standard

KYC is considered complete only when all of the following conditions are satisfied:

The User's CNIC details have been collected and the CNIC images are legible;
AWS Rekognition has returned a positive biometric match at or above Zimma's defined confidence threshold;
The OTP delivered via Veevo Tech has been successfully verified;
Pre-screening against sanctions lists has returned no confirmed match;
Zimma's compliance team has not flagged the submission for further review.

6.7 Failed KYC

Where a User fails the KYC process, Zimma will notify the User and, where technically possible, provide guidance on reattempting the process. Where KYC failure is suspected to involve fraudulent documentation, Zimma will escalate the matter and may file an STR with the FMU.

7. CUSTOMER DUE DILIGENCE (CDD)

7.1 Standard CDD

Standard CDD is applied to all Users upon registration. It consists of the KYC process described in Section 6, together with the collection and verification of information in Section 6.2 and the pre-screening described in Section 6.5.

7.2 Understanding the Purpose of the Business Relationship

In addition to identity verification, Zimma collects information at the time of registration and through the Transaction Terms of each Escrow Transaction to understand the nature and purpose of the Business Relationship. This includes the type of goods or services the User intends to buy or sell, the anticipated frequency and value of escrow transactions, and the User's stated occupation where relevant to the risk assessment.

7.3 CDD for Each Escrow Transaction

For each Escrow Transaction, Zimma reviews the Transaction Terms entered by the Buyer to assess whether the description of goods or services is consistent with: the User's verified identity and stated occupation; the PKR amount being placed in escrow; the User's prior transaction history on the platform; and the list of prohibited transaction categories under Section 11 of the Terms of Service.

7.4 Risk Categorization

Based on the CDD process, each User will be assigned a Standard Risk, Elevated Risk, or High Risk rating as described in Section 4.3 and the risk table above. The level of ongoing due diligence applied is proportionate to the risk category assigned.

7.5 Refusal of CDD

Where a User refuses to provide information necessary for Zimma to complete CDD, or provides clearly false or misleading information, Zimma will decline to onboard or suspend an existing account, decline to process pending Escrow Transactions, and consider filing an STR where the refusal itself raises suspicion of ML/TF.

8. ENHANCED DUE DILIGENCE (EDD)

8.1 When EDD Is Required

Zimma will apply Enhanced Due Diligence measures to a User where one or more of the following apply:

The User is identified or suspected to be a Politically Exposed Person (PEP), as described in Section 10;
The User has been assigned a High Risk rating following the CDD assessment under Section 7.4;
The Escrow Transaction involves an amount that exceeds Zimma's defined high-value threshold;
The transaction pattern is inconsistent with the User's profile or the Transaction Terms;
The User's CNIC details are associated with a prior STR or adverse screening result;
A Dispute reveals indicators suggesting the transaction may not be a genuine commercial transaction;
The User has been referred for EDD by Zimma's transaction monitoring system.

8.2 EDD Measures

When EDD is required, Zimma will apply one or more of the following additional measures proportionate to the risk identified:

Source of Funds Verification: Requesting documentary evidence of the source of funds being deposited into escrow, per Section 16;
Source of Wealth Verification: For high-value transactions, requesting documentation to establish the broader source of the User's wealth;
Senior Management Approval: Requiring approval from a senior compliance officer before activating a high-risk account or processing a high-risk transaction;
Enhanced Transaction Monitoring: More frequent and intensive review of the User's transaction history;
Additional Identity Verification: Requesting further documentation supplementing the CNIC-based KYC;
Increased Frequency of CDD Refresh: Re-verifying KYC information more frequently than the standard cycle.

8.3 Consequences of Failed EDD

Where a User fails to cooperate with EDD requirements or cannot satisfactorily address elevated risk indicators within a reasonable period, Zimma will suspend the User's account and freeze any Escrow Funds, decline to process new transactions, file an STR where warranted, and permanently close the account where the risk cannot be mitigated.

9. SIMPLIFIED DUE DILIGENCE

Zimma does not apply simplified due diligence to any User. All Users, without exception, must complete the full KYC process and standard CDD before participating in any escrow transaction. Given that Zimma holds PKR funds in trust, application of simplified due diligence to any User would be inappropriate and inconsistent with risk-based principles.

10. POLITICALLY EXPOSED PERSONS (PEPs)

10.1 Definition of PEP

For the purposes of this Policy, a PEP is an individual who is or has been entrusted with a prominent public function, including: heads of state or government; senior government ministers; members of national or provincial assemblies; senior government officials; senior judicial officers; senior military officers (Brigadier/equivalent and above); senior executives and board members of state-owned enterprises; and senior officials of major political parties. Family members and close associates of PEPs are also treated as PEPs, consistent with FATF Recommendation 12.

10.2 PEP Screening

Zimma will screen all Users against PEP lists at the time of KYC onboarding and on an ongoing basis using third-party PEP screening databases, government-published lists, or internal research.

10.3 Mandatory EDD for PEPs

Where a User is identified or reasonably suspected to be a PEP, Zimma will:

Immediately subject the User to EDD as described in Section 8;
Require senior management approval before activating the User's account or processing any Escrow Transaction;
Apply enhanced transaction monitoring to all of the PEP User's transactions;
Conduct periodic review of the PEP User's account at intervals not exceeding twelve (12) months.

10.4 Foreign PEPs

Foreign PEPs are automatically treated as high-risk and subject to full EDD regardless of transaction amount.

10.5 Domestic PEPs

Domestic PEPs are subject to a risk-based assessment. Where transaction amounts are low and there are no adverse indicators, the EDD measures applied may be proportionately less intensive than those applied to foreign PEPs, in accordance with FATF guidance on domestic PEPs.

11. SANCTIONS SCREENING

11.1 Legal Obligation

Zimma is legally required to freeze the assets of, and refuse to provide services to, any individual or entity designated under Schedule IV of the ATA 1997 or by the United Nations Security Council under applicable UNSC Resolutions.

11.2 Screening at Onboarding

Every User's identity information is screened against relevant sanctions lists before their account is activated and before they are permitted to initiate any Escrow Transaction.

11.3 Ongoing Screening

Zimma will conduct ongoing screening of registered Users against updated sanctions lists at regular intervals and whenever lists are materially updated. Where a User is identified as a Designated Person following account activation, Zimma will immediately:

Freeze the User's account;
Freeze any Escrow Funds associated with that User's transactions;
File an STR with the FMU;
Notify the relevant authority as required by the ATA 1997 and applicable SECP guidance;
Decline to process any instruction to release or return Escrow Funds until directed by a competent authority.

11.4 False Positive Management

Where a screening result is a potential but unconfirmed match, Zimma will conduct a manual review. A false positive will be documented and the User's account will remain active during review unless other grounds for suspension exist. Where the review confirms a genuine match, the obligations in Section 11.3 apply immediately.

11.5 No Prior Notice

Zimma will not give prior notice to a User before freezing their account or Escrow Funds as a result of a sanctions match. Any notification to the User will be limited to what is legally permissible, taking into account the tipping-off prohibition in Section 17.

12. ONGOING CUSTOMER DUE DILIGENCE

12.1 KYC Refresh

Zimma will refresh a User's KYC information where: the User's CNIC has expired and a renewed CNIC has not been submitted within thirty (30) days; transaction monitoring identifies a material change in the User's patterns; a Dispute raises doubts about the User's identity; or Zimma receives adverse information from a third party including law enforcement or the FMU.

12.2 Periodic Review

Zimma will conduct periodic review of its User base at intervals determined by its compliance function, with higher-risk Users reviewed more frequently. The periodic review will consider: whether KYC information remains current; whether transaction history is consistent with the User's profile; and whether any new adverse information has emerged.

12.3 Transaction History as Ongoing CDD

Zimma's records of each User's escrow transaction history — including types of goods and services traded, transaction values, counterparty patterns, and dispute history — constitute an ongoing source of CDD intelligence that Zimma actively monitors.

13. TRANSACTION MONITORING

13.1 Monitoring Obligation

Zimma is required to monitor transactions processed through its platform for indicators of money laundering, terrorism financing, and other financial crime under Section 7 of the AML Act 2010, the SECP AML/CFT Regulations 2018, and FATF Recommendation 10.

13.2 Monitoring Parameters

Zimma's transaction monitoring covers the following parameters:

Transaction value: Escrow transactions that are unusually large relative to a User's profile or stated occupation;
Transaction frequency: Unusually high numbers of escrow transactions within a short period, or patterns inconsistent with stated purpose;
Counterparty patterns: A User who repeatedly transacts with the same counterparty in a manner lacking clear commercial rationale;
Round-figure transactions: Escrow amounts that are consistently round figures or that appear structured to avoid a reporting threshold;
Transaction description inconsistencies: Transaction Terms that are vague, implausible, or inconsistent with the User's profile;
Rapid cycling: Escrow Funds deposited and immediately or quickly returned or released without clear commercial explanation;
Geographic inconsistencies: User's stated address inconsistent with transaction behaviour or device data.

13.3 Structuring

Where monitoring identifies a pattern suggesting a User may be deliberately structuring transactions to avoid reporting thresholds, Zimma will treat this as a high-risk indicator, escalate for compliance review, and consider filing an STR.

13.4 Automated and Manual Review

Zimma's transaction monitoring combines automated pattern detection with manual review by the compliance function. Where the automated system flags a transaction or pattern, a compliance officer will conduct a manual review within a reasonable period to determine the appropriate response.

14. SUSPICIOUS TRANSACTION REPORTING (STR)

14.1 Obligation to File STRs

Zimma is required by Section 7 of the AML Act 2010 and the SECP AML/CFT Regulations 2018 to file a Suspicious Transaction Report (STR) with the Financial Monitoring Unit (FMU) wherever Zimma knows, suspects, or has reasonable grounds to suspect that:

A transaction involves the proceeds of a Predicate Offence listed in the Schedule to the AML Act 2010;
A transaction is connected to terrorism financing or the financing of a Designated Person;
A User is attempting to use the Zimma platform to launder funds or to evade Zimma's AML/CFT controls;
A User has provided false identity information, including forged or misappropriated CNIC documentation.

14.2 Indicators Triggering STR Assessment

Without limiting Section 14.1, the following indicators will trigger Zimma's internal STR assessment process:

A User refuses to provide KYC or CDD information without a plausible explanation;
A User provides documentation that appears to be forged or inconsistent;
Transaction Terms are implausible, unusually vague, or clearly designed to conceal the true nature of the underlying transaction;
A Dispute reveals that the transaction had no genuine commercial basis;
A User's transaction patterns are consistent with known ML/TF typologies identified in FATF guidance or FMU advisories;
A User appears to be operating as a third-party cash handler — receiving escrow payments from multiple unrelated Buyers and releasing them to the same Seller;
Sanctions screening returns a confirmed or unresolved match.

14.3 STR Filing Process

Upon identification of suspicious circumstances, Zimma's designated compliance officer will:

Document the basis for suspicion in writing;
Determine within a reasonable period whether the circumstances warrant filing an STR;
File the STR with the FMU in the prescribed form within the timeframe required by the AML Act 2010 and the SECP AML/CFT Regulations;
Freeze any Escrow Funds associated with the suspicious transaction pending the FMU's response or direction;
Maintain a copy of the STR and all supporting documentation in Zimma's compliance records.

14.4 Threshold Is Suspicion, Not Certainty

The threshold for filing an STR is suspicion, not certainty. Zimma will file an STR whenever there are reasonable grounds for suspicion, even if no definitive conclusion can be drawn from available information.

14.5 Confidentiality of STRs

The existence of a filed STR and the information it contains are confidential. Zimma will not disclose to the subject User or to any other person that an STR has been filed. This obligation is addressed further in Section 17 (Tipping-Off Prohibition).

15. CURRENCY TRANSACTION REPORTING (CTR)

15.1 CTR Obligation

To the extent that Zimma's escrow operations give rise to CTR obligations under Section 8 of the AML Act 2010, Zimma will file CTRs with the FMU in relation to: any single electronic transaction that equals or exceeds the prescribed reporting threshold; and multiple transactions by the same User within a single Business Day that, when aggregated, equal or exceed the applicable threshold where there are reasonable grounds to believe they are part of a single transaction.

15.2 Threshold

The applicable CTR threshold shall be as prescribed by the FMU and the SECP AML/CFT Regulations from time to time. Zimma will update its internal monitoring parameters whenever the threshold is amended.

15.3 No Customer Alert Required

CTR filing is a regulatory obligation and does not require Zimma to inform the User that their transaction has been reported.

16. SOURCE OF FUNDS VERIFICATION

16.1 Standard Source of Funds Inquiry

For all Escrow Transactions, the Transaction Terms entered by the Buyer constitute the primary source-of-funds disclosure — they describe the commercial purpose for which funds are being deposited into escrow.

16.2 Enhanced Source of Funds Documentation

Where a User's transaction triggers EDD under Section 8, or where the transaction value exceeds Zimma's defined high-value threshold, Zimma may require documentary evidence of the source of Escrow Funds consistent with the indicative list at Annexure J of the SBP EMI Regulations:

For Employed / Salaried Users (any one of):

Latest salary slip;
Salary certificate from employer;
Bank account statement;
Tax return or tax certificate;
For retired persons, evidence of pension or terminal benefits.

For Self-Employed / Non-Salaried Users (any one of):

Receipt of payment against work performed;
Bank account statement showing receipt of relevant funds;
Tax return or tax certificate;
Particulars of income providers;
Any other document evidencing source of income.

Alternative Sources:

Evidence of inheritance;
Agricultural income documentation;
Evidence of investment in securities, bonds, shares, or property;
Evidence of rental or investment income.

16.3 Refusal to Provide Source of Funds Documentation

Where a User refuses or is unable to provide satisfactory source-of-funds documentation following a request under Section 16.2, Zimma will treat the refusal as a high-risk indicator, escalate to the compliance function, and consider filing an STR.

17. TIPPING-OFF PROHIBITION

Section 9 of the AML Act 2010 imposes an absolute prohibition on disclosing to any person that an STR has been, is being, or is about to be filed, where such disclosure is likely to prejudice an investigation. Breach of this prohibition may constitute a criminal offence.

17.1 Application to Zimma

Zimma and all Zimma personnel who are aware of an STR filing, a pending STR assessment, or a transaction freeze arising from AML/CFT concerns are strictly prohibited from: informing the affected User that their account or Escrow Funds have been frozen for AML/CFT reasons; informing the affected User that an STR has been or is being prepared; or informing any third party of the existence of an AML/CFT investigation.

17.2 Permissible Communications

Where an account has been frozen or a transaction delayed for AML/CFT reasons, Zimma may communicate to the affected User only that: (a) their account or transaction is subject to a regulatory hold; (b) processing will resume once the hold is resolved; and (c) they may contact hello@zimma.com.pk for further information to the extent legally permissible. Zimma will not specify the nature of the regulatory hold or confirm or deny whether an STR has been filed.

17.3 Training on Tipping-Off

All Zimma personnel involved in customer accounts, compliance, or transaction processing are required to understand the tipping-off prohibition and to comply with it strictly.

18. RECORD RETENTION

18.1 KYC Records

Zimma will retain all KYC records — including CNIC numbers, CNIC images, live selfie images, biometric comparison results, and verification logs — for a minimum of five (5) years following the termination of the Business Relationship with a User, consistent with Section 7 of the AML Act 2010, the SECP AML/CFT Regulations 2018, and Para 24(II) of the SBP EMI Regulations (applied as best practice).

18.2 Escrow Transaction Records

All records of Escrow Transactions — including Transaction Terms, deposits, releases, timestamps, counterparty information, and dispute records — will be retained for a minimum of ten (10) years from the date of the transaction, consistent with Para 24(II)(a) of the SBP EMI Regulations and Section 7 of the PS&EFT Act 2007.

18.3 CDD and EDD Records

All records of CDD and EDD measures applied to a User — including source-of-funds documentation, risk assessments, senior management approval records, and periodic review findings — will be retained for a minimum of five (5) years following the termination of the Business Relationship.

18.4 STRs and Compliance Records

All STRs, CTRs, internal suspicion assessments, and related compliance records will be retained for a minimum of five (5) years from the date of filing, or longer where required by the FMU, a court order, or ongoing legal proceedings.

18.5 Extended Retention

Where records are subject to ongoing litigation, a regulatory investigation, a court order, or an active FMU inquiry, Zimma will retain all relevant records until the matter is finally resolved, regardless of whether the standard retention period has expired.

18.6 Record Integrity

All records must be maintained in a secure, tamper-evident format that enables individual transactions to be reconstructed and traced in sufficient detail to provide evidence for criminal prosecution where necessary, consistent with Para 24(II)(c) of the SBP EMI Regulations.

18.7 Regulatory Access

Zimma will make all records required under this Policy available to the SECP, the FMU, SBP, law enforcement authorities, and courts of competent jurisdiction upon receipt of a lawful request or direction.

19. INTERNAL AML/CFT CONTROLS AND COMPLIANCE OFFICER

19.1 Compliance Function

Zimma maintains an internal AML/CFT compliance function responsible for: overseeing the implementation of this Policy; conducting the STR assessment process; managing the EDD process; overseeing transaction monitoring; maintaining and updating sanctions screening lists; coordinating with the FMU, SECP, and other competent authorities; and conducting periodic internal reviews of the AML/CFT compliance framework.

19.2 Compliance Officer

Zimma designates a Compliance Officer responsible for day-to-day AML/CFT management. The Compliance Officer: has direct access to Zimma's senior management for escalating concerns; has authority to freeze User accounts and Escrow Funds where required; is responsible for filing STRs and CTRs with the FMU; and is responsible for maintaining Zimma's AML/CFT records.

19.3 No Outsourcing of Core AML/CFT Responsibilities

While Zimma uses third-party tools — including AWS Rekognition for biometric matching and Veevo Tech for OTP delivery — in connection with its KYC process, the core AML/CFT decision-making functions remain the responsibility of Zimma's internal compliance function and cannot be delegated to a third party.

19.4 Independence of Compliance Function

Zimma's AML/CFT compliance function operates independently of Zimma's commercial and business development functions to avoid conflicts of interest in AML/CFT decision-making.

20. TRAINING AND AWARENESS

20.1 Training Obligation

All Zimma personnel involved in customer onboarding, transaction processing, dispute resolution, or any other function bringing them into contact with User data or Escrow Funds must receive adequate training on: the requirements of the AML Act 2010 and the SECP AML/CFT Regulations 2018; the contents and requirements of this Policy; how to identify indicators of suspicious activity in the context of escrow operations; the tipping-off prohibition under Section 9 of the AML Act 2010; and how to escalate concerns to the Compliance Officer.

20.2 Training Frequency

Training must be provided at least annually, and whenever there is a material change to this Policy, the AML Act 2010, the SECP AML/CFT Regulations, or the FATF standards applicable to Pakistan.

20.3 Training Records

Zimma will maintain records of all AML/CFT training delivered to personnel, including dates, content covered, and names of attendees. These records will be made available to the SECP on request.

21. AMENDMENTS TO THIS POLICY

Zimma reserves the right to amend this Policy at any time to reflect changes in Applicable Laws, FATF standards, SECP AML/CFT Regulations, or Zimma's own risk assessments and operational experience. Any material amendment will be published on the Zimma platform and notified to registered Users via in-app notification and by SMS to their registered mobile number. Amendments required by regulatory direction or changes to Applicable Law may take effect immediately. This Policy is reviewed internally by Zimma's compliance function at least annually.

22. CONTACT

For AML/KYC queries or to report suspected financial crime, please contact:

Zimma Solutions (Private) Limited — Compliance Department

House 1123, Street 10, G-14/4

Islamabad Urban, ICT 42600, Pakistan

Email: hello@zimma.com.pk

Subject: "Compliance Query — [Brief Description]"

To report financial crime directly to the Financial Monitoring Unit of Pakistan:

Financial Monitoring Unit (FMU)

Ministry of Finance, Government of Pakistan

Website: www.fmu.gov.pk

This AML/KYC Policy is published in English and constitutes the legally binding version. In the event of any conflict between this Policy and any translated or summarized version, the English version shall prevail.

Governing Law: Islamic Republic of Pakistan | Jurisdiction: Courts of Islamabad, Pakistan