1Introduction
Flamingo Pay (Pty) Ltd (“Flamingo”) maintains this Risk Management Compliance Programme (“RMCP”) under section 42 of the Financial Intelligence Centre Act 38 of 2001 (“FICA”) and Directive 6 of 2023 issued by the Financial Intelligence Centre (“FIC”).
The RMCP documents how Flamingo identifies, assesses, and mitigates money-laundering, terrorist-financing, and proliferation-financing risks across its QR payment platform for the South African informal economy. This page is the authoritative, versioned summary that examiners and banking partners should read alongside the full RMCP policy document.
2Scope of this programme
This RMCP applies to every transaction processed on the Flamingo platform, every merchant onboarded to the platform, and every Flamingo officer, employee, or agent involved in the handling of customer funds or personal information.
Flamingo operates as a technology payment facilitator under Ozow's Payment Clearing House membership and does not itself hold client funds. However, Flamingo performs full customer due-diligence, risk rating, and transaction monitoring on every merchant and every transaction — regardless of whether the downstream settlement is via Ozow or another acquirer.
3Governance
The RMCP is approved and reviewed by the Flamingo Board. The Accountable Officer responsible for FICA compliance is the Managing Director. The Compliance Officer (Information Officer for POPIA purposes) reports directly to the Managing Director and has unrestricted access to systems, records, and staff needed to discharge the compliance function.
4Customer due diligence
Flamingo applies a three-tier risk-based CDD programme, calibrated to expected monthly volume and merchant profile. The tier is selected at signup and adjusted dynamically if actual volumes move a merchant into a higher bracket.
| Tier | Monthly volume | Required identification | Automated checks (VerifyNow) |
|---|---|---|---|
| Simplified | < R5,000 | RICA-registered phone (verified by SMS OTP at signup), selfie, sworn affidavit from a commissioner of oaths. SA ID number is optional at this tier. | None by default — manual affidavit review by Compliance. If the merchant supplies an ID, SAID + AML/PEP/sanctions checks still run. |
| Standard | R5,000 – R100,000 | SA ID, selfie, proof of address, bank confirmation letter, business registration or affidavit. | SAID verification, AML/PEP/sanctions, biometric liveness (ID photo enhanced), bank account verification (AVS). |
| Enhanced | > R100,000 | All Standard documents plus source-of-funds declaration. Registered businesses additionally supply CIPC certificates and beneficial-ownership declaration. | All Standard checks plus face match. Registered businesses also run CIPC company and director searches. |
The Simplified tier operates under FICA Directive 6 on simplified customer due diligence for low-value accounts serving the informal economy. It is subject to a transaction cap of R5,000 per rolling 30-day window enforced at the limits-engine layer. Where a merchant exceeds their tier cap, Flamingo applies a soft cap with a held-funds grace windowrather than rejecting the buyer at point of payment: post-cap payments are accepted and recorded but settle to a “Pending KYC” sub-balance and do not pay out to the merchant. The merchant has seven (7) calendar days from the first cap-exceeding payment to complete next-tier KYC. On successful upgrade, all held funds are released to the merchant’s available balance. If KYC is not upgraded within the grace window, the limits engine flips to a hard reject for new payments, and held funds are auto-reversed to the originating buyers no later than thirty (30) days from receipt. This design treats the tier cap as a risk-management trigger consistent with the FICA risk-based approach (RBA), avoids the consumer-harm failure mode of declining a buyer at the till, and leaves a clear documentary trail for FIC inspection.
Sanctions screening runs against the UN Consolidated List, the SA Targeted Financial Sanctions List, and politically exposed person (PEP) lists. High-risk merchants (cash-intensive businesses, non-face-to-face onboarding, adverse media) are escalated to Enhanced Due Diligence regardless of monthly volume, including source-of-funds declaration and ongoing monthly review.
5Transaction monitoring
Transaction monitoring runs synchronously on every incoming transaction and asynchronously across each merchant's rolling history. Rules are parameterised per merchant type (see Appendix D below) because a taxi-rank spaza and a professional service provider have categorically different normal-behaviour envelopes; applying a single global threshold to both would either miss real suspicious activity at the service provider or flood the queue with false positives from the spaza.
Flagged transactions are queued in the compliance dashboard, reviewed by a human Compliance Officer within one business day, and either cleared, escalated to EDD, or filed as an STR to the FIC as appropriate.
6STR & CTR filing
Cash Threshold Reports (s28): any single transaction of R 25 000 or more generates a CTR automatically and is filed with the FIC via goAML XML upload within two business days.
Suspicious Transaction Reports (s29): when the Compliance Officer concludes that a transaction or pattern is suspicious, an STR is filed with the FIC via goAML XML upload within fifteen working days of the suspicion arising. Tipping off is prohibited.
7Record keeping
All KYC records, transaction records, risk assessments, and STR/CTR filings are retained for five years (1,827 days) from the date the business relationship ends or the transaction is concluded, per FICA s42.
8Staff training
All staff complete FICA and POPIA training at onboarding and annually thereafter. The Compliance Officer maintains a training register and attendance records as part of the FICA file.
9Review cycle
This RMCP is reviewed at least annually, or sooner if there is a material change in Flamingo's products, risk profile, or applicable law. Changes are logged in the version history at the top of this document and in the internal policy register.
DAppendix D — Transaction monitoring rules
The following rules are implemented in the platform's rules engine (lib/store.ts > rulesForMerchant()) and evaluated on every transaction. Thresholds marked “per profile” are read from lib/business-profiles.ts — the per-type values are tabulated in Appendix D.1.
| Rule ID | Name | Trigger |
|---|---|---|
| TM-01 | High amount | Single transaction ≥ merchant profile's highAmountThreshold (baseline R 5 000). |
| TM-02 | Velocity | More than profile's velocityMax transactions in 15-minute sliding window (baseline 20 txns). |
| TM-03 | Anomaly | Single transaction ≥ profile's anomalyMultiplier× merchant's rolling average (baseline 5×). |
| TM-04 | Structuring | Multiple transactions just below R 25 000 (CTR threshold) within 24 hours. Detected by STR pattern engine. |
| TM-05 | CTR threshold | Single transaction ≥ R 25 000 — auto-generates CTR (FICA s28). |
| TM-06 | Unusual hours | Transaction timestamp falls within profile's off-hours window (baseline 23:00–05:00). |
| TM-07 | Manual | Compliance Officer manually flags any transaction for review. |
D.1Appendix D.1 — Per-merchant-type profiles
Flamingo's merchant base ranges from taxi-rank spazas with dozens of small transactions per hour to professional service providers with one large invoice per week. A single global threshold would either miss fraud at the low-volume end or drown the compliance queue in false positives at the high-volume end. The table below shows the parameters applied to each business type; merchants not matching a listed type use the DEFAULT baseline.
| Business type | High amount | Velocity (max / window) | Unusual hours | Anomaly × |
|---|---|---|---|---|
| Spaza / General Dealer | R 5 000 | 60 / 15 min | 00:00–04:00 | 8× |
| Tuckshop | R 3 000 | 50 / 15 min | 00:00–04:00 | 8× |
| Street vendor | R 3 000 | 50 / 15 min | 23:00–04:00 | 8× |
| Fruit & veg | R 5 000 | 40 / 15 min | 23:00–03:00 | 6× |
| Butchery | R 8 000 | 25 / 15 min | 22:00–05:00 | 5× |
| Takeaway / Food | R 5 000 | 35 / 15 min | 00:00–04:00 | 5× |
| Hair salon / Barber | R 5 000 | 15 / 15 min | 22:00–06:00 | 4× |
| Car wash | R 3 000 | 20 / 15 min | 21:00–06:00 | 5× |
| Service provider | R 10 000 | 15 / 15 min | 22:00–06:00 | 4× |
| DEFAULT (Other) | R 5 000 | 20 / 15 min | 23:00–05:00 | 5× |
This table is rendered at request time from lib/business-profiles.ts; any change to a profile threshold is reflected here on the next deploy. The policy document and the live rules engine therefore cannot drift.
✉Contact
Compliance Officer
Flamingo Pay (Pty) Ltd
Reg No: 2026/276925/07
A23, 10th Ave, Edenburg, Rivonia, Sandton, 2091
Phone: 063 947 7208
Email: compliance@flamingopay.co.za