1. Purpose
This Risk Management Framework (the "Framework") sets out the approach Unlshd Ltd, trading as NeptunePay ("Unlshd", "we"), takes to identify, assess, manage, monitor, and report the risks that arise from its business activities. The Framework is calibrated to the operating model described in Section 3 below — Unlshd as a technology and merchant-introduction provider that does not handle, hold, or transmit funds.
2. Scope
This Framework applies enterprise-wide. It covers all activities, products, services, employees, officers, contractors, and partner relationships of Unlshd. It is read alongside the suite of policies and procedures listed in Section 11.
3. Operating Model and Risk Boundary
Unlshd: (i) provides technology, integration, configuration, and operational support to merchants and partner acquirers; (ii) introduces merchants to direct acquirers; and (iii) earns technology fees, integration fees, or referral commissions paid by acquirers or merchants. Unlshd does not: (i) provide payment services or issue electronic money; (ii) hold or transmit merchant or end-customer funds; (iii) act as an acquirer, payment facilitator, or money services business.
This operating boundary is the foundation of the risk profile addressed by this Framework. Any proposal to alter the boundary — for example, by routing funds through a Unlshd-controlled account, holding rolling reserves, or contracting directly with end-merchants for payment processing — requires Board approval, an updated Framework, and (where applicable) regulatory authorisation.
4. Risk Appetite
The Board has approved the following risk appetite statements. The risk appetite is reviewed annually and on material change.
4.1 Financial-Crime Risk
Conservative. Unlshd does not accept any tolerance for facilitation of money laundering, terrorist financing, sanctions evasion, or other financial crime. Higher-risk verticals (iGaming, foreign exchange/CFD, adult content) are accepted only where the merchant is demonstrably licensed, compliant, and subject to enhanced due diligence.
4.2 Regulatory Risk
Conservative. Unlshd is committed to operating within the unregulated tech-provider boundary described in Section 3 and to satisfying all applicable laws (including data protection, consumer protection, and tax). Activities that would require Unlshd to hold a licence it does not hold are not undertaken.
4.3 Counterparty (Acquirer and Merchant) Risk
Moderate. Unlshd accepts that working with regulated direct acquirers and with merchants in higher-risk verticals carries inherent counterparty risk. This is mitigated by acquirer due diligence, merchant due diligence, contractual protections, and ongoing monitoring.
4.4 Operational and Technology Risk
Moderate. Unlshd accepts that operating a payment-adjacent technology service exposes the business to outage, integration, security, and human-error risk. The risk is mitigated by reliance on the underlying licensed Paytech platform and on a documented operational control environment.
4.5 Reputational Risk
Conservative. Unlshd takes a low-tolerance stance on activity that could damage its reputation with acquirers, schemes, regulators, or the public. This includes a willingness to decline or terminate merchants that are technically permissible but reputationally damaging.
4.6 Strategic and Concentration Risk
Moderate. Unlshd recognises that early-stage concentration (limited number of acquirers, limited number of high-value merchants, dependency on a single underlying technology platform) is unavoidable, but commits to active diversification as the business matures.
5. Risk Categories
Unlshd identifies and manages risk under the following principal categories. Each category has a designated risk owner and is reviewed in the Risk Register.
5.1 Financial-Crime Risk
The risk that Unlshd's services are misused for money laundering, terrorist financing, sanctions evasion, or other financial crime. Owned by the MLRO/Compliance Officer. Managed via the AML/CTF Policy (NP-POL-002), Sanctions Compliance Statement (NP-POL-003), and Merchant Onboarding and KYB Procedure (NP-PROC-001).
5.2 Regulatory and Legal Risk
The risk of breach of applicable law, regulation, or scheme rule, including unauthorised provision of payment services, data-protection breach, consumer-protection breach, sanctions breach, tax non-compliance, or scheme rule breach. Owned by the Compliance Officer in conjunction with external legal counsel.
5.3 Counterparty Credit and Performance Risk
The risk that an acquirer fails to perform (settlement disruption, sudden offboarding, scheme deregistration) or that a merchant fails to perform (chargebacks, fraud, regulatory issues, insolvency). Owned by the Commercial Function with input from Compliance.
5.4 Operational Risk
The risk of loss arising from inadequate or failed internal processes, people, and systems, or from external events. Includes process failure, human error, fraud (internal or external), and third-party failure. Owned by the Operations Function.
5.5 Technology and Cyber Risk
The risk of unavailability, performance degradation, data breach, or unauthorised access to systems and data. The underlying transaction-processing platform is provided by Paytech Ltd under licence; technology risks specific to that platform are managed under the Paytech Software License Agreement and its Service Level Agreement. Risks specific to Unlshd's own systems, configurations, and integrations are owned by the Operations Function.
5.6 Information Security and Data-Protection Risk
The risk of unauthorised disclosure, alteration, or loss of personal or business data. Includes obligations under Regulation (EU) 2016/679 (the "GDPR"), the Cyprus Processing of Personal Data (Protection of Individuals) Law of 2018 (L. 125(I)/2018), and equivalent laws in other jurisdictions. Owned by the Data Protection Officer (where appointed) or the Compliance Officer.
5.7 Chargeback and Fraud Risk (Indirect)
Although Unlshd does not bear direct chargeback liability, elevated chargebacks or fraud at any merchant introduced by Unlshd damage Unlshd's relationships with acquirers and schemes. Managed via the Chargeback Management Procedure (NP-PROC-002) and merchant performance monitoring.
5.8 Conduct Risk
The risk of conduct by Unlshd, its merchants, or its representatives that causes detriment to end-customers (consumer harm, mis-selling, deceptive marketing, predatory product features). Mitigated through the Acceptable Use Policy (NP-POL-001), merchant due diligence, and ongoing monitoring.
5.9 Strategic Risk
The risk that Unlshd's strategy proves to be flawed or poorly executed, or that external developments (regulatory change, scheme rule change, competitive change, technology change) undermine the business model. Owned by the Board.
5.10 Reputational Risk
The risk of damage to Unlshd's standing with acquirers, regulators, schemes, partners, and the public. Generally arises as a downstream consequence of other risks; managed through prevention and through prompt and transparent response to incidents.
6. Risk Governance
6.1 Three Lines of Defence
Unlshd applies a proportionate three-lines model:
• First Line: business operations (Commercial, Operations, Technology). Owns risk and operates day-to-day controls.
• Second Line: Compliance Function and MLRO. Provides oversight, challenge, and assurance.
• Third Line: independent review (internal or external). Tests the effectiveness of the first and second lines on a periodic basis. Where the size of Unlshd does not justify a permanent third-line function, periodic external review fulfils the role.
6.2 Board and Senior Management
The Board of Directors has overall responsibility for risk management. The Board:
• approves this Framework and the underlying policies;
• approves risk appetite;
• reviews the Risk Register and material risk events at least quarterly;
• approves the appointment of the MLRO/Compliance Officer.
6.3 Compliance Function
The Compliance Function (which may be combined with the MLRO role) is responsible for: implementing and maintaining this Framework; maintaining the Risk Register; conducting and updating the MLTF Risk Assessment; advising the Board on risk; and reporting material risk events.
7. Risk Identification, Assessment, and Treatment
Risks are identified through (i) the Risk Register review, (ii) the MLTF Risk Assessment, (iii) incident reports, (iv) acquirer and scheme alerts, (v) regulatory monitoring, (vi) staff escalation, and (vii) external audit and review. Each identified risk is assessed for likelihood and impact, and assigned a risk owner. Treatment options are accept, mitigate, transfer, or avoid. Risks above the Board-approved residual-risk threshold require explicit Board acceptance.
8. Risk Register and Reporting
Unlshd maintains a Risk Register that records, for each risk: a description, the inherent assessment, applicable controls, the residual assessment, the risk owner, and the mitigation or remediation status. The Register is reviewed at least quarterly. The Compliance Function reports to the Board on the Register, on material risk events, on incidents, on regulatory developments, and on partner-acquirer audit findings.
9. Incident Management
Material incidents are recorded, investigated, and (where appropriate) reported to partner acquirers, regulators, and affected counterparties. Lessons learned from incidents are fed back into the Risk Register and into staff training. The categories of incident addressed include: financial-crime incidents, sanctions hits, data-protection incidents, technology outages and security incidents, partner-acquirer or scheme alerts, and merchant-conduct incidents.
10. Business Continuity
Unlshd recognises that its services depend on the availability of: (i) the underlying Paytech platform; (ii) third-party service providers (including cloud, monitoring, and screening providers); and (iii) the partner acquirers. Continuity of the underlying platform is governed by the Service Level Agreement with Paytech. Unlshd maintains: (i) basic operational continuity arrangements (documented procedures, staff cross-cover, alternative communication channels); (ii) data back-up and recovery arrangements appropriate to its operations; and (iii) a documented escalation process for partner-acquirer outage or termination, including merchant migration arrangements.
11. Related Documents
• Acceptable Use & Prohibited Businesses Policy ;
• Anti-Money Laundering and Counter-Terrorist Financing Policy ;
• Sanctions Compliance Statement ;
• Privacy Policy ;
• Merchant Onboarding and KYB Procedure ;
• Chargeback Management Procedure ;
• Vertical Standards .
— END OF FRAMEWORK —
