MSolution Logo
About UsServicesProjectsBlogsDocumentsContact
PaymentDevelopment
Privacy PolicyInforming payersRisk and Compliance Management Policy

Risk and Compliance Management Policy

Last updated: March 23, 2025

Purpose

• Multi Solutions LLC is committed to conducting its operations in a safe, lawful, and responsible manner. This policy defines a clear approach to the company's Risk and Compliance Management System (RCMS) and confirms that the primary objective is to create and protect value — by preventing loss, fulfilling obligations, providing reliable services, and supporting informed, risk-based decision-making. • The policy explains management responsibilities, roles and accountabilities, communication, and reporting procedures. It guides daily decisions and actions; detailed approaches and steps are outlined in the relevant procedures.

Scope

This policy applies to all our teams, locations, and contractors involved in our services.

References: • ISO 31000: Risk Management • ISO 37301: Compliance Management Systems • ISO/IEC 27001: Information Security Management Systems • ISO 22301: Business Continuity Management Systems • Regulatory requirements in the countries where we operate, especially in areas such as: payment services, anti-money laundering/combating the financing of terrorism, targeted financial sanctions, data protection, and consumer rights.

Definitions

• Risk: The possibility that an event or action will adversely affect objectives. • Compliance: Adherence to laws, regulations, contracts, standards, and internal policies. • RCMS: The company-wide policies, roles, processes, and records system applied for managing risk and compliance. • Obligation: A specific legal, regulatory, contractual, or policy requirement that must be fulfilled. • Risk Appetite: The level of risk accepted to achieve objectives. • Risk Owner: The person accountable for a risk and its controls. • Control: A measure that prevents, detects, or corrects a risk and ensures compliance. • Incident: An unplanned and undesired event affecting or potentially affecting services, customers, data, or compliance. • Non-compliance: A confirmed instance of failure to meet a compliance requirement. • Registry: An official, continuously updated list (e.g., risk registry, obligations registry, incidents registry). • Evidence: Documents or records demonstrating that a control or action has been executed. • Key Risk Indicator (KRI): A metric indicating an increasing risk. • Key Performance Indicator (KPI): A metric measuring achievement of key objectives. • Outsourcing / Third Party: A vendor or partner performing a process or service on behalf of the organization. • AML/CFT: Anti-Money Laundering and Combating the Financing of Terrorism.

Leadership Commitment

Leaders set direction and ensure the system functions effectively.

• Sets RCMS objectives and allocates resources. • Applies near-zero tolerance for regulatory non-compliance and customer harm. • Reviews monthly/quarterly risk and compliance reports and requires timely corrective actions. • Supports awareness of relevant stakeholders and measures results with practical indicators.

Management and Roles

We use a three lines of defense model.

• First Line (Business and Operations): manages process risks and compliance, executes controls, reports incidents and non-compliance without delay, and carries out RCMS-related tasks. • Second Line (Risk & Compliance, AML/CFT, Information Security, Internal Control): develops procedures and rules supporting this policy, manages methods and registries, checks controls, monitors compliance, educates teams on RCMS, and provides recommendations to leadership. • Third Line (Audit): provides objective evaluation and recommendations through internal and/or external independent audits.

Key Areas of Control

• Financial resilience and reporting • Anti-Money Laundering and Combating the Financing of Terrorism • Transaction and fraud monitoring • Data protection and information security • Business continuity and resilience • Partners and outsourcing

Training, Awareness, and Communication

All employees complete mandatory training annually. Role-based specialized training is provided when needed. New hires receive awareness training during onboarding. After major changes or relevant events, refresher training is provided to relevant teams as needed. The policy is published as a controlled copy in a central folder and communicated via internal announcements and team briefings. The approved latest version of this policy is published on the website. It is provided to regulators, banks, merchants, and partners when required by law or contract.

Accelerate your transition to the digital world with MSolution

MSolution empowers you to manage your payments easily, securely, and efficiently. Our team is always ready to deliver fully customized solutions designed to meet your business needs.

icon