1.1. Policy Statement
Metaflow Technology Platforms Limited ("Taja", "the Company", "we", or "us"), the operator of the "Taja" platform, is fully committed to preventing its services, platforms, and employees from being used to facilitate money laundering (ML), terrorist financing (TF), proliferation financing (PF), or any other financial crime.
This Anti-Money Laundering and Counter-Terrorist Financing (AML/CFT) Policy ("Policy") establishes the comprehensive framework, minimum standards, internal controls, and procedures for Taja's compliance with its legal and regulatory obligations. The Company is dedicated to maintaining the highest standards of integrity and vigilance in all its operations. We will maintain a compliance program that is effective, risk-based, and actively enforced.
1.2. Purpose and Objectives
The primary objective of this Policy is to ensure that the Taja platform is not exploited for illicit activities. This Policy is designed to:
1.3. Scope
This Policy manual applies universally to the company and all its global operations, subsidiaries, and affiliates. It is binding on all directors, officers, management, and staff (including permanent, contract, and temporary employees), as well as any agents or partners acting on the Company's behalf.
All business units and operational functions, including but not limited to technology, product development, customer onboarding, payments, marketing, and customer support, must incorporate and adhere to the procedures outlined in this Policy.
1.4. Holder of Canada MSB License
Metaflow Technology Platforms Limited operates the Taja platform as a licensed Money Services Business (MSB) registered with the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC). As such, the Company is subject to the full supervisory and reporting authority of FINTRAC and must comply with all obligations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and its associated Regulations.
1.5. Regulatory and Legal Frameworks
Taja ensures adherence to all applicable laws and regulations in its operating and market jurisdictions. This Policy is specifically designed to comply with:
1.6. "Higher of Home or Host" Principle
Taja's operations span multiple jurisdictions (licensed in Canada, serving users globally). Where the AML/CFT requirements of these jurisdictions differ, Taja shall adopt and implement the more stringent or prescriptive standard across its entire operation. This "higher of home or host" principle ensures the highest and most defensible level of compliance.
Rationale: This is a regulatory best practice. For example, Canada's FINTRAC sets a 25% beneficial ownership threshold, while Nigeria's CBN mandates a 5% threshold. This policy formally adopts the 5% threshold as the Company's global standard.
1.7. Key Regulatory Bodies
Taja is subject to the supervision and reporting requirements of FINTRAC (Canada), the Financial Transactions and Reports Analysis Centre of Canada. As our primary licensor, FINTRAC receives regulatory reports (STRs, LCTRs, etc.) and conducts compliance examinations.
2.1. Money Laundering (ML) Defined
Money laundering is the criminal process of disguising the origin of money or assets derived from illegal activities ("proceeds of crime") to make them appear legitimate. Profit-motivated crimes that generate such proceeds include drug trafficking, fraud, corruption, organized crime, and tax evasion.
The Taja platform, which facilitates the rapid, cross-border movement of funds, could be attractive to criminals seeking to obscure the money trail.
2.2. Terrorist Financing (TF) Defined
Terrorist financing provides funds for terrorist activity. This involves the collection, provision, or movement of funds, from either legitimate or illegitimate sources, with the intention or knowledge that they will be used to support terrorist acts or organizations.
Unlike money laundering, the source of funds can be legal (e.g., personal donations, business profits), but the intended use is criminal. Detecting TF often involves identifying transaction patterns that are small in value, making them difficult to distinguish from legitimate transfers.
2.3. Proliferation Financing (PF) Defined
Proliferation financing is the act of providing funds or financial services for the manufacture, acquisition, possession, development, or transport of nuclear, chemical, or biological weapons (Weapons of Mass Destruction or WMDs) and their delivery systems. This includes funds for dual-use goods intended for non-legitimate purposes. Taja is obligated to screen for and block any transactions related to PF.
2.4. Stages of Money Laundering
The money laundering process is traditionally described in three stages. These stages can be separate, overlap, or occur simultaneously.
2.4.1. Placement
This is the initial stage where illicit funds are first introduced into the legitimate financial system. For the Taja platform, this could be an attempt to receive a fraudulent wire transfer into a newly created virtual account.
2.4.2. Layering
This is the process of separating the criminal proceeds from their source by using complex layers of financial transactions. The goal is to hide the audit trail and provide anonymity.
Taja Platform Risk: This is the highest-risk stage for our platform. A launderer might use a mule account on Taja to receive illicit funds (Placement), and then immediately attempt to make a payout to a third-party bank account or a crypto-exchange (Layering). Our strict prohibition on third-party payouts is designed to directly disrupt this stage.
2.4.3. Integration
This is the final stage where the laundered funds re-enter the legitimate economy, appearing as "clean" money. The criminal can now use the funds to invest in businesses, real estate, or luxury assets.
2.5. Consequences of Non-Compliance
3.1. The Five Pillars of Compliance
Taja's AML/CFT Program is built upon the five internationally recognized pillars of an effective compliance program, as required by FINTRAC and global standards:
3.2. Governance Structure
A clear governance structure is essential for compliance. AML/CFT is the responsibility of every employee, but oversight is managed through a clear hierarchy.
3.3. Roles and Responsibilities
3.3.1. Board of Directors
The Board of Directors (or its equivalent governing body) has ultimate responsibility for ensuring Taja complies with its AML/CFT obligations. The Board shall:
3.3.2. Senior Management
Senior Management is responsible for executing the Board-approved Program. They shall:
3.3.3. Chief Compliance Officer (CCO)
The CCO is the designated individual responsible for the implementation and management of the AML/CFT Program. The CCO's duties include:
3.3.4. Compliance Department Staff
Compliance staff (e.g., Compliance Analysts, Officers) report to the CCO and support the Program by:
3.3.5. All Employees
All employees are the "first line of defense" and have a personal responsibility for compliance:
3.4. Communication and Escalation
Clear and confidential lines of communication are vital.
4.1. The Risk-Based Approach (RBA)
Taja adopts a Risk-Based Approach (RBA) to AML/CFT compliance, as mandated by FINTRAC and FATF. This means we identify, assess, and understand the specific ML/TF risks we face, and then apply mitigation measures that are proportionate to those risks.
Our RBA involves the following steps:
4.2. EWRA Methodology
The CCO is responsible for conducting and documenting a comprehensive Enterprise-Wide Risk Assessment (EWRA).
Frequency: The EWRA will be reviewed and updated at least annually, or more frequently if a "material trigger event" occurs.
Material Triggers: Such events include, but are not limited to, the introduction of new products (e.g., new virtual account currencies), expansion into new target markets, changes in banking partnerships, or significant changes in the regulatory landscape.
Process: The EWRA involves assessing the likelihood and impact of risks across four key categories, identifying the controls in place, and determining the residual risk rating.
4.3. Inherent Risk Factors
4.3.1. Product and Service Risk
Inherent Risk: High.
Rationale: The Taja platform offers services that are inherently attractive for ML/TF:
Higher Risk Indicators:
Mitigation: Strict CDD/EDD, prohibition of third-party payouts, automated transaction monitoring, and the Travel Rule.
4.3.2. Customer Risk
Inherent Risk: High.
Rationale: Our target market may include individuals or entities whose activities are high-risk.
Higher Risk Indicators:
Mitigation: A risk-based CDD process, mandatory EDD for high-risk customers, and enhanced monitoring. We explicitly prohibit certain customer types (see Appendix 2).
4.3.3. Geographical Risk
Inherent Risk: High.
Rationale: We are licensed in Canada (low-risk) but our user base may be customers from countries on the grey list like Nigeria, a jurisdiction identified by FATF as having strategic AML/CFT deficiencies ("grey list"). We also process payments from global jurisdictions (USD, GBP, EUR).
Higher Risk Indicators:
Mitigation: All users from "grey list" jurisdictions (e.g., Nigeria) are automatically rated as high-risk and subject to EDD. We maintain a Prohibited Countries List (Appendix 1) from which we will not accept users or transactions.
4.3.4. Delivery Channel Risk
Inherent Risk: High.
Rationale: The Taja platform is a non-face-to-face (NFTF) service, delivered exclusively through a mobile application. This channel prevents traditional in-person verification and increases identity fraud risk.
Higher Risk Indicators:
Mitigation: Robust digital identity verification methods, multi-factor authentication, IP address monitoring, and velocity checks.
4.4. Risk Mitigation and Controls
This Policy and its procedures are the primary risk-mitigation framework. Key controls include:
4.5. Customer Risk Assessment (CRA)
4.5.1. Customer Risk Scoring System
Every user is assigned a risk score at onboarding, which is dynamically updated throughout the business relationship. This score is calculated based on objective criteria, including:
4.5.2. Risk Categories
Users are categorized based on their score:
Action: All "Above Average Risk" and "High Risk" customers are subject to mandatory Enhanced Due Diligence (EDD).
5.1. KYC Policy Objective
The "Know Your Customer" (KYC) procedure is Taja's most critical defense against financial crime. The objective is to establish and verify the true identity of every user, understand the nature of their activities, and assess the ML/TF risks they may pose.
5.2. When CDD is Required
Taja must perform CDD measures at the following times:
5.3. Standard Customer Due Diligence (CDD)
At a minimum, Standard CDD must be performed for all users and includes the following steps:
5.3.1. Identifying Individuals
We must collect the following for all individual users:
5.3.2. Identifying Legal Entities (Corporate Accounts)
We must collect the following for all corporate users:
5.3.3. Identifying Beneficial Ownership
For all corporate accounts, we must identify and take reasonable measures to verify the identity of the Ultimate Beneficial Owners (UBOs).
Rationale & Threshold: FINTRAC requires identifying UBOs at 25% ownership. In line with our "higher of home or host" principle, Taja will identify and verify all natural persons who, directly or indirectly, own or control 5% or more of the legal entity.
Control: Where no individual meets the 5% threshold, we must identify the natural person(s) who exercise control through other means (e.g., control of the Board).
Senior Management: If no UBO can be identified, we must identify and verify the identity of the senior managing official(s) of the entity (e.g., CEO, CFO).
Information: For each UBO identified, we must collect their Full Legal Name, Date of Birth, and Address, and verify their identity as if they were an individual user.
5.3.4. Understanding the Purpose and Intended Nature of the Business Relationship
We must understand why the user is opening an account. This includes:
This information forms the "baseline" for ongoing transaction monitoring.
5.3.5. Verifying Identity (Documentary and Non-Documentary)
We must verify the identity of all users and UBOs using reliable, independent source documents, data, or information.
For Individuals:
For Legal Entities:
5.4. Prohibited Practices
5.4.1. Anonymous or Fictitious Accounts
It is strictly prohibited for Taja to open or maintain any anonymous accounts, accounts in fictitious names, or "numbered" accounts.
5.4.2. Third-Party and Mule Accounts
It is strictly prohibited for any user to open an account on behalf of another person, or to sell or "rent" their account to a third party. This practice, known as mule activity, is a key indicator of money laundering and is grounds for immediate and permanent account termination.
5.4.3. Shell Banks
Taja is prohibited from establishing or continuing any correspondent relationship with a shell bank (a bank with no physical presence or affiliation with a regulated group). We must take measures to ensure our banking partners do not permit their accounts to be used by shell banks.
5.5. Enhanced Due Diligence (EDD)
EDD consists of additional, more stringent measures to be taken for all users and relationships classified as "Above Average" or "High" risk. This is not an optional step.
5.5.1. EDD Triggers
EDD is automatically triggered for, but not limited to:
5.5.2. Required EDD Measures
Where EDD is triggered, the following measures must be taken in addition to Standard CDD:
5.5.3. Source of Wealth (SoW) and Source of Funds (SoF) Verification
Source of Wealth (SoW): This refers to the origin of the user's total net worth or economic profile (e.g., "Employment income," "Business ownership," "Inheritance"). We must obtain documentary evidence for this, such as:
Source of Funds (SoF): This refers to the origin of the specific funds being used for a transaction (e.g., "Company profits," "Sale of property"). We must obtain evidence for this, such as:
5.6. Politically Exposed Persons (PEPs)
Relationships with PEPs present a higher risk of corruption and money laundering.
5.6.1. Definitions
Foreign PEP (FPEP): An individual who holds or has held a prominent public office in a foreign country (e.g., head of state, senior politician, senior judicial or military official, senior executive of a state-owned corporation).
Domestic PEP (DPEP): An individual who holds or has held a similar prominent public office within Canada (e.g., Governor General, MP, deputy minister, head of a Crown corporation).
Head of an International Organization (HIO): The head (e.g., CEO, President) of an international organization (e.g., UN, NATO).
Family Member: Includes spouse, common-law partner, children, parents, siblings, and in-laws.
Close Associate: An individual closely connected to a PEP for personal or business reasons.
5.6.2. Identification of PEPs
Taja must take reasonable measures to determine if a user or UBO is a PEP, HIO, family member, or close associate. This is done by:
5.6.3. Procedures for PEPs
If a user is identified as a PEP (or a family member/close associate), they are automatically rated High Risk and the following EDD measures are mandatory:
5.7. Sanctions Screening
5.7.1. Screening Requirement: Taja is prohibited from transacting with any individual, entity, or country designated under applicable sanctions regimes. All users, UBOs, and relevant transaction counterparties (where possible) must be screened.
5.7.2. Screening Lists: Screening is conducted at onboarding and on an ongoing (e.g., daily) basis against, at minimum:
5.7.3. Procedure on "True Match"
Upon identifying a "true match" to a sanctions list:
5.8. Ongoing Monitoring
CDD is not a one-time event. We must conduct ongoing monitoring of all business relationships to detect unusual activity and keep user information current.
5.8.1. Frequency of Review: User profiles must be formally reviewed and refreshed at a frequency based on their risk rating:
5.8.2. Trigger Events for Review: An ad-hoc review of a user's CDD information must be conducted upon a "trigger event", such as:
5.8.3. Enhanced Ongoing Monitoring: All high-risk accounts (including all PEPs and Nigerian-based users) are subject to enhanced ongoing monitoring, which includes:
5.9. Documentation Deferral
As a rule, all KYC documentation must be collected and verified before a business relationship is established or transactions are permitted. In exceptional, low-risk cases, a non-individual (corporate) user may be granted a deferral for non-critical documents.
Approval: Deferrals may only be approved by the CCO or CEO.
Restrictions:
5.10. Reliance on Third Parties
Taja may, in limited circumstances, rely on a third party (e.g., a regulated financial institution) to perform elements of the CDD process, provided:
6.1. Transaction Monitoring
6.1.1. Key Internal Processes: Taja shall implement and maintain a robust transaction monitoring system (automated and manual) to detect unusual and potentially suspicious activities. This system is designed to identify transactions that are inconsistent with a user's known, legitimate business or personal activities.
6.1.2. Automated Monitoring and Alerts: Our automated system monitors transactions in real-time and post-transaction, generating alerts for review by the Compliance Department. Alerts are triggered by rules based on:
6.1.3. AML/TF Red Flag Indicators: All employees must be vigilant for "red flags" that may indicate ML/TF. While not exhaustive, the following are critical indicators for the Taja platform:
Customer-Related:
Transaction-Related:
Employee-Related:
6.2 Internal Suspicious Activity Reporting
6.2.1. Employee Obligation to Report: Any employee who detects a "red flag" or, in the course of their duties, knows or suspects that a transaction may be related to ML/TF has a mandatory, non-negotiable obligation to report it internally.
6.2.2. Internal Escalation Flow
6.2.3. CCO Investigation and Determination: The CCO will document all internal reports and the outcome of the investigation, including the rationale for either filing an STR or determining that no suspicion was found. This documentation is critical for audits.
6.3 External Regulatory Reporting
6.3.1. Suspicious Transaction Reports (STRs): An STR (or SAR) must be filed with the relevant FIU if the CCO forms "Reasonable Grounds to Suspect" (RGS) that a transaction (or attempted transaction) is related to the commission or attempted commission of an ML/TF offense.
6.3.2. Defining "Reasonable Grounds to Suspect" (RGS)
Simple Suspicion: A hunch or intuition; cannot articulate the reason. This is not enough for an STR but requires further investigation.
Reasonable Grounds to Suspect (RGS): The standard for filing. It is a step above simple suspicion. It means there is a possibility of ML/TF based on an assessment of facts, context, and indicators. The suspicion does not need to be proven or verified as a crime.
Reasonable Grounds to Believe: A higher standard (probability) where facts are verified and support the belief a crime is occurring. We do not wait for this standard to file an STR.
6.3.3. Reporting to FINTRAC (Canada): The CCO must submit an STR to FINTRAC "as soon as practicable" (typically within 3 days, and no later than 30 days) after RGS is formed.
6.3.4. Terrorist Property Reports (TPRs): We must immediately submit a TPR to FINTRAC (and relevant law enforcement) if we know or believe we are in possession or control of property owned or controlled by or on behalf of a terrorist or terrorist group. This is a "knowledge" or "belief" standard, not suspicion.
6.3.5. Large Cash Transaction Reports (LCTRs): We must report to FINTRAC when we receive $10,000 CAD or more in cash (or its foreign equivalent) in a single transaction, or in multiple transactions within a 24-hour period (the "24-hour rule"). This report must be filed within 15 calendar days.
6.3.7. Large Virtual Currency Transaction Reports (LVCTRs): We must report to FINTRAC when we receive virtual currency (VC) equivalent to $10,000 CAD or more in a single transaction (or 24-hour period). This report must be filed within 5 working days.
6.3.8. Electronic Funds Transfer Reports (EFTRs): We must report to FINTRAC all international Electronic Funds Transfers (EFTs) of $10,000 CAD or more (or its equivalent) that we initiate or finally receive. This report must be filed within 5 business days. This also includes the "24-hour rule" for multiple smaller transfers from the same person.
6.4. Enforcement Actions and Cooperation
6.4.1. Right to Freeze, Terminate, or Reverse: As stated in our user terms, Taja reserves the right, upon forming RGS of ML/TF or identifying a direct violation of this Policy (such as attempted third-party payouts), to take immediate enforcement actions. These actions include, but are not limited to:
6.4.2. Cooperation with Law Enforcement: Taja will cooperate fully with all competent authorities (e.g., FINTRAC, RCMP, EFCC). This includes:
6.5. Prohibition of "Tipping-Off"
This is a critical legal obligation. No director, officer, employee, or agent of Taja shall disclose to any person, especially the customer involved, that:
"Tipping-off" is a serious criminal offense and is grounds for immediate termination and potential criminal prosecution.
Voluntary Self-Declaration of Non-Compliance
If Taja identifies a failure in its compliance program (e.g., a batch of reports was missed), it is our policy to proactively manage the issue. The CCO will assess the issue and, where appropriate, make a voluntary self-declaration of non-compliance to FINTRAC. This declaration will include the nature of the issue, the period, the reason, and a detailed remediation plan.
7.1. General Record-Keeping Requirement
Taja shall keep complete and accurate records of all transactions, KYC/CDD information, and AML/CFT compliance activities. These records are essential to assist law enforcement, satisfy regulators, and reconstruct transactions.
7.2. Retention Period
All records required by this Policy must be kept for a minimum of five (5) years from the date the record was created (e.g., date of transaction) or five (5) years after the business relationship has ended (e.g., date of account closure), whichever is later.
7.3. Preserved Documentation
The following records must be kept for the 5-year retention period:
7.4. Additional Record-Keeping Requirements
Government-Issued ID: When verifying an ID, we must record the person's name, document type, document number, issuing jurisdiction, and expiry date.
Third-Party Reliance: If we rely on a third party for CDD, we must keep the written agreement with that third party.
Entity Verification: We must keep the paper or electronic record used to verify a corporation's existence (e.g., the corporate registry search result).
7.5. The "Travel Rule"
Taja must comply with the "Travel Rule" for EFTs and VC transfers. This means we must ensure that all qualifying transfers include specific originator and beneficiary information:
We must take reasonable measures to ensure this information is included when sending a transfer and is received when acting as an intermediary or beneficiary.
7.6. Record Accessibility
All records must be maintained in a secure, organized manner (electronically) and must be retrievable for FINTRAC, CBN, or other competent authorities. As per FINTRAC requirements, records must be provided within 30 days of a request. As per Nigerian regulations, records must be available "on a timely basis, not later than 48 hours".
Policy: In line with our "higher of home or host" principle, Taja will endeavor to meet the 48-hour access standard where feasible, and in all cases will meet the 30-day standard.
8.1. Know Your Employee (KYE)
The integrity of our employees is as important as the identity of our customers. A robust KYE program is essential to prevent insider abuse, fraud, and willful blindness.
8.1.1. Staff Screening and Integrity
Hiring Process: Taja must exercise due diligence during the hiring process for all employees, especially those with access to financial systems or customer data.
Checks: This process includes verifying identity, work history, and conducting:
Integrity: All employees are expected to maintain the highest standards of moral judgment, honesty, and professional conduct.
8.1.2. Counterchecking of Work
Senior management and team leads will perform occasional, risk-based spot checks and reviews of work done by staff to ensure policies and procedures are being followed correctly.
8.1.3. Employee Actions
To get to know employees, the company may conduct:
8.2. Staff Training and Awareness
8.2.1. Training Program Requirement: Taja shall provide a comprehensive, ongoing AML/CFT training program for all directors, officers, senior management, and employees.
8.2.2. Frequency and Audience
8.2.3. Essential Training Content: The training program, managed by the CCO, will cover:
8.2.4. Training Records: The CCO shall maintain a register of all training sessions, including dates, content, and attendee lists, to be made available for audits.
8.2.5. Non-Compliance: Completion of training is mandatory. Failure to complete training may result in disciplinary action, up to and including suspension or termination.
8.3. Anti-Bribery and Corruption (ABC)
Taja has zero tolerance for bribery and corruption.
Policy: No employee or agent may offer, solicit, or accept any bribe, kickback, or other corrupt payment to or from any person (including government officials or commercial partners).
Gifts: Employees must not ask for or receive gifts or hospitality of significant value (e.g., above NGN 50,000 or $50 CAD) from a customer or vendor. All gifts must be reported to a supervisor. Any gift that could be seen as an inducement must be rejected, regardless of value.
9.1. Review Requirement: To ensure Taja's AML/CFT Program is effective and compliant, the Program shall be subject to a regular, independent review (audit).
9.2. Frequency: As a Canadian MSB, this independent review must be conducted at a minimum once every two (2) years. The CCO may commission a review more frequently if there are material changes to the business or its risk profile.
9.3. Auditor Independence: The review must be conducted by an auditor (either internal or external) who is independent of the AML/CFT Program and the CCO. The auditor must have sufficient knowledge of Canadian and Nigerian AML/CFT requirements to conduct the review.
9.4. Scope of Review: The review will be comprehensive and must test, at a minimum:
9.5. Reporting and Remediation: The auditor will produce a formal written report detailing their findings, any identified deficiencies, and recommendations for improvement.
This report will be provided directly to Senior Management and the Board of Directors.
The CCO is responsible for creating and executing a formal remediation plan to address all findings. This plan and its progress will be tracked and reported to the Board.
Appendix 1: List of Prohibited and High-Risk Countries
Taja maintains a dynamic list of Prohibited and High-Risk countries based on guidance from FATF, FINTRAC, and other credible sources.
A. Prohibited Jurisdictions: Taja will not establish any business relationship with, or process transactions to/from, individuals or entities in the following jurisdictions:
B. High-Risk Jurisdictions (Requires EDD)
All users from or transacting with the following jurisdictions are automatically rated High-Risk and are subject to mandatory Enhanced Due Diligence (EDD):
This includes, but is not limited to: NIGERIA, South Africa, Turkey, UAE, Burkina Faso, Cameroon, Croatia, DRC, Haiti, Jamaica, Kenya, Mali, Mozambique, Philippines, Senegal, South Sudan, Syria, Tanzania, Vietnam, Yemen.
Other jurisdictions identified by credible sources (e.g., Transparency International) as having high levels of corruption, organized crime, or weak AML/CFT regimes.
(This list is illustrative and will be maintained and updated by the CCO based on real-time regulatory guidance.)
Appendix 2: List of Prohibited Industries
Taja will not open accounts for any individual or entity whose primary business or stated purpose involves any of the following activities, as they fall outside our risk appetite:
Appendix 3: List of High-Risk Industries
Individuals or entities operating in the following industries are considered High-Risk and will be subject to mandatory Enhanced Due Diligence (EDD):
Appendix 4: AML/TF Red Flag Indicators
This is a non-exhaustive list of "red flags" that all employees must be aware of. The presence of one flag does not automatically mean ML/TF, but it requires further scrutiny.
A. User Profile & Onboarding Red Flags:
B. Transactional Red Flags: