AML/CTF Policy | Thenks

1. Company Overview

Thenks Technologies Limited ("Thenks") is a digital tipping and payments platform that enables guests to tip service workers in the hospitality and tourism sector using card and mobile money.

Thenks facilitates the collection, management, and transparent distribution of tips to verified staff members through secure digital infrastructure.

2. Regulatory Framework

Thenks is committed to complying with all applicable Kenyan laws and regulations, including:

• Proceeds of Crime and Anti-Money Laundering Act (POCAMLA), 2009 (as amended)
• POCAMLA Regulations, 2013
• Prevention of Terrorism Act, 2012
• Prevention of Terrorism Regulations, 2013
• Data Protection Act, 2019
• Guidance from the Financial Reporting Centre (FRC) and Central Bank of Kenya (CBK)

Thenks operates through regulated financial infrastructure partners, including Stripe (a regulated global payment processor), and aligns its controls with bank-grade AML/CTF standards.

3. Definitions

• Money Laundering: Any act intended to conceal or disguise the origin of criminally derived proceeds so that they appear legitimate.
• Terrorism Financing: The provision or collection of funds with the knowledge or intention that they will be used to support terrorist activities or organisations.
• Proceeds of Crime: Any property or economic benefit derived directly or indirectly from criminal activity.

4. Purpose

This policy establishes Thenks' framework to:

• Prevent and detect money laundering and terrorism financing
• Ensure compliance with Kenyan AML/CTF laws
• Protect customers, staff, partners, and the integrity of the platform
• Maintain trust in Thenks as a financial technology provider

5. Scope

This policy applies to:

• All Thenks employees, contractors, and agents
• All partner establishments using Thenks
• All users of the platform (guests, staff, administrators)

All personnel must comply with this policy at all times.

6. Policy Statement

Thenks maintains zero tolerance for money laundering and terrorism financing.

We are committed to:

• Preventing misuse of the platform
• Monitoring transactions and user behaviour
• Reporting suspicious activity through regulated payment partners
• Maintaining full transaction traceability and audit logs
• Cooperating with regulators and law enforcement agencies

Thenks applies a risk-based AML framework and utilises payment provider risk intelligence and transaction analytics to strengthen fraud prevention and AML monitoring across the platform.

7. Governance & Responsibilities

7.1 Founder & Leadership

• Overall accountability for AML/CTF compliance
• Approval of policies and controls
• Ensuring sufficient compliance resources

7.2 Management Team

• Implementation and enforcement of AML procedures
• Monitoring of financial flows and risk exposure
• Ensuring staff training and policy adherence

7.3 Compliance Function

Thenks designates a Compliance Lead responsible for:

• Monitoring transactions and AML risk
• Reviewing suspicious activity reports
• Escalating suspicious transaction reports through Thenks' regulated payment partners (including Stripe), who maintain direct reporting obligations to the Financial Reporting Centre (FRC)
• Maintaining AML documentation and controls
• Liaising with banks and payment partners

7.4 Employees

All employees must:

• Remain vigilant for suspicious activity
• Follow KYC and transaction control procedures
• Escalate suspicious behaviour immediately

8. Risk-Based AML Control Framework

Thenks operates a layered AML control framework aligned to its digital tipping model.

8.1 Property Verification & Due Diligence (KYB-Lite)

To mitigate risk, Thenks performs business verification and due diligence prior to activation:

• Physical verification of the establishment location (site visit where feasible)
• Verification of public presence (website, listings, digital footprint)
• Direct communication with at least three (3) management representatives
• Confirmation that the establishment is a legitimate hospitality/tourism operation
• Internal risk review and approval

Enhanced due diligence may be applied for higher-risk establishments.

8.2 Staff & Beneficiary Verification (Primary KYC Layer)

Thenks collects and verifies:

• Full legal name
• Phone number
• National ID (where applicable)
• Role within the establishment
• Staff committee/group allocation

Mobile Money (M-PESA) Verification

• Thenks verifies the registered M-PESA account name linked to the phone number using Safaricom database records
• The provided name must match the registered account holder
• Any mismatch is flagged and held for correction before payout

8.2A Guest (Payer) Identification & Data Controls

Thenks collects limited guest information at payment:

• First Name
• Last Name
• Email Address

This data is used strictly for: issuing receipts, transaction verification, fraud and dispute resolution, and compliance record keeping.

8.2B Guest Payment & Transaction Intelligence Monitoring

Through Stripe, Thenks receives risk and transaction intelligence signals, including:

• Guest transaction history on Thenks
• Card issuing country and issuing bank
• Transaction location and device signals
• Velocity and retry patterns
• Risk scoring indicators

8.3 Card Payment Controls

• 3D Secure (3DS) is enforced on all supported cards via Stripe
• Fraud signals are monitored continuously
• High-risk transactions may be declined or flagged

8.4 Transaction Review & Holding Controls

Thenks applies a review window of up to 48 hours prior to capture and payout allocation to detect fraud, reduce chargeback risk, and validate suspicious activity.

8.5 High-Value Transaction Monitoring

Any transaction above USD $1,000 (or equivalent) is automatically flagged for enhanced review before payout.

8.6 Suspicious Activity Monitoring

Thenks monitors for:

• Unusual tipping patterns
• Structuring behaviour
• Repeated failed payments
• Abnormal geographic activity
• Mismatch between guest identity, card origin, and property
• Beneficiary identity mismatches

8.7 Prohibited Relationships

Thenks will not engage with:

• Sanctioned individuals or entities
• Businesses involved in illegal activity
• Any entity that refuses to provide required verification

9. Record Keeping

Thenks maintains records for a minimum of seven (7) years, including:

• Property verification records
• Staff KYC and beneficiary data
• Guest transaction data (including name and email)
• Payment and payout records
• Audit logs and STR escalation records

10. Training

Thenks conducts regular AML/CTF training for staff covering:

• Suspicious activity detection
• KYC procedures
• Escalation protocols
• Compliance responsibilities

11. Internal Controls & Systems

Thenks maintains:

• Role-based access controls
• Segregation of duties
• Full transaction audit trails
• Internal review of payouts and adjustments
• Monitoring of treasury flows and payout balances

12. Cooperation with Authorities

Thenks cooperates fully with:

• Financial Reporting Centre (FRC)
• Central Bank of Kenya (CBK)
• Law enforcement agencies
• Banking and payment partners

13. Policy Review

This policy is reviewed:

• Every two (2) years, or
• Earlier if required due to legal, regulatory, or operational changes