Anti-Money Laundering & CFT Statement

Last updated: 06 May 2026

This statement describes the Anti-Money Laundering (AML) and Counter-Terrorism Financing (CFT) program operated by PT UNIT GLOBAL SYSTEM. It supports our obligations under Law 8 of 2010 (UU TPPU), Law 9 of 2013 (Pencegahan dan Pemberantasan Tindak Pidana Pendanaan Terorisme), Bank Indonesia regulations governing payment service providers, and the directives of the Indonesian Financial Transaction Reports and Analysis Center (PPATK).

1. Statement of commitment

UnitPay maintains a comprehensive AML and CFT program proportionate to the risk profile of its merchant base and the payment services it offers. The program is designed to detect, prevent, and report money laundering, terrorism financing, sanctions evasion, and proliferation financing across every transaction we process.

We do not knowingly facilitate transactions that involve the proceeds of crime, terrorism financing, or sanctioned parties. Where we identify or reasonably suspect such activity, we take action consistent with this statement, our internal procedures, and applicable law.

This statement is a public commitment binding on UnitPay's directors, employees, contractors, and authorised agents. Internal procedures interpreting it are issued and maintained by the AML Compliance Officer and reviewed annually for consistency with current regulatory expectations and observed typologies.

2. Program governance

An AML Compliance Officer (AMLCO) is designated and registered with PPATK. The AMLCO has unrestricted access to merchant, transaction, and operational data necessary to discharge program responsibilities. The AMLCO reports functionally to the board's risk committee, which reviews AML metrics, escalations, and program effectiveness at least quarterly.

The AML and CFT program is documented through internal policies, procedures, and risk assessments, and is reviewed at least annually. Material changes are presented to the board for approval and communicated to staff with production access through mandatory updated training.

The board carries ultimate responsibility for the AML and CFT framework. The board approves the AML risk appetite statement, the annual training plan, the resourcing of the compliance function, and material changes to the program. The AMLCO has a direct line of escalation to the board chair where executive-level resistance to a compliance recommendation arises.

An enterprise-wide ML/TF risk assessment is performed at least annually, covering customer typology, geographic exposure, product mix, and delivery-channel risk. Findings drive the calibration of due diligence depth, monitoring rules, and training topics for the year ahead.

3. Customer due diligence

UnitPay performs risk-based customer due diligence on every merchant entity, every director, every commissioner where applicable, every ultimate beneficial owner holding 25% or more, and every authorised signatory. Standard due diligence applies to low- and medium-risk relationships; enhanced due diligence (EDD) applies to high-risk relationships, including PEPs, high-risk industries, and high-risk geographies.

EDD measures include: senior management approval of the relationship, enhanced understanding of source of funds and source of wealth where applicable, more frequent ongoing review, and stricter transaction monitoring thresholds. The specific measures applied are documented in the customer file and re-assessed at every periodic review.

KYC verification is performed through Didit (document, biometric liveness, and initial AML screening) as described in our KYC Policy. Ongoing transaction screening and merchant monitoring are performed through Didit. Together these vendors provide the screening, monitoring, and alerting capabilities the program requires.

Where due diligence cannot be completed satisfactorily (for example, undisclosed beneficial ownership, refusal to provide source-of-funds evidence for an EDD case, persistent failure of identity verification), UnitPay declines to onboard the prospective merchant or terminates an existing relationship and considers whether the circumstances warrant a SAR filing.

4. Sanctions and watchlist screening

Every transaction processed through UnitPay is screened in real time against the principal international and Indonesian sanction and watchlist sources.

The list set is reviewed at least annually to ensure new instruments (for example, freezing orders issued by Indonesian authorities, additional UN Security Council resolutions, sectoral or autonomous EU measures) are added promptly. Screening is performed against:

The United Nations Consolidated Sanctions List.
European Union consolidated sanctions.
The OFAC Specially Designated Nationals and Blocked Persons List.
His Majesty's Treasury (UK OFSI) consolidated list.
The PPATK domestic sanctions list (DTTOT, Daftar Terduga Teroris dan Organisasi Teroris) and any additional Indonesian regulatory lists in force.
Politically exposed person (PEP) lists, including direct, family, and close-associate categories.
Adverse media, drawn from over one thousand sources, focused on financial crime indicators.

Screening is performed at onboarding, on every transaction, and on a continuous monitoring basis through Didit. Positive matches block the transaction or onboarding pending compliance review.

Match-quality tuning balances false-positive rate (which creates customer friction) against false-negative rate (which creates regulatory and reputational risk). The configuration favours the regulatory-risk side: where doubt exists, the match is escalated for human review rather than auto-cleared.

Adjudication outcomes are sampled for quality-review by a senior compliance team-member to ensure consistency across analysts and to identify training opportunities. Sampling and findings are reported to the AMLCO monthly.

5. Transaction monitoring

Automated rules monitor transactions for: velocity outside historical norms, structuring patterns (multiple sub-threshold amounts), high-risk geographies, anomalous payment-method mix, atypical refund or chargeback rates, and combinations of indicators consistent with transaction laundering. Rule sets are tuned at least quarterly based on alert outcomes, peer benchmark, and emerging typologies published by PPATK and FATF.

Alerts route to a manual review queue. Compliance analysts adjudicate alerts within five working days, with severity-based fast-track for high-risk alerts. Adjudication notes are retained as part of the case record for audit.

The transaction monitoring system is calibrated to the merchant base in scope, not borrowed wholesale from a generic library. Detection logic and thresholds are reviewed against actual alert outcomes (true positive, false positive, undetected event identified after the fact) so that calibration tightens over time.

Read-across between transaction monitoring and the risk-monitoring framework described in our Risk Monitoring Policy is deliberate: AML signals can drive risk-tier reassignment, and risk-tier movement adjusts the AML monitoring posture. The two policies form a single program viewed from different angles.

6. Suspicious activity reporting

Where the AMLCO determines reasonable suspicion of money laundering, terrorism financing, or other reportable predicate offences, UnitPay files a Suspicious Transaction Report (Laporan Transaksi Keuangan Mencurigakan, LTKM) with PPATK within the timelines required by UU TPPU Article 23. We also file Cash Transaction Reports (LTKT) and other regulator-mandated reports where the applicable thresholds are met.

The anti-tipping-off provisions of UU TPPU prohibit us from disclosing the existence or content of any LTKM to the affected merchant, customer, or any other unauthorised party. We do not respond to merchant inquiries about whether a specific transaction has been reported.

Internal escalation to filing follows a documented workflow: analyst escalation, AMLCO review, AMLCO determination, filing through the GoAML or successor portal that PPATK operates. The filing record is retained alongside the underlying case evidence for the period required by UU TPPU Article 21.

7. Record keeping

UnitPay retains AML records for at least five years from the date of the transaction or the closure of the merchant relationship, whichever is later. This is consistent with UU TPPU Article 21 and aligns with the seven-year transaction-record retention we apply for Bank Indonesia audit purposes. Categories of record retained include:

Customer due diligence files (identity documents, beneficial-ownership evidence, EDD source-of-funds material).
Sanctions and PEP screening results, including matched list reference and adjudication outcome.
Transaction records sufficient to reconstruct the underlying flow of funds.
Alert adjudication notes and working papers.
LTKM and LTKT filings, with the supporting evidence that informed the determination.
Training records and internal communications relating to specific cases.

Records are stored encrypted at rest in ap-southeast-3, access-controlled, and integrity-protected. Production-grade restoration of historical records can be performed within five working days of regulator request.

8. Training

All staff with merchant-onboarding, transaction-monitoring, customer-support, or technology roles touching transaction data complete AML and CFT training at hire and annually thereafter. Training covers Indonesian regulatory framework, red-flag recognition, sanctions and PEP awareness, escalation procedures, and the anti-tipping-off rule.

Specialised modules are delivered to compliance analysts, the AMLCO, and senior management. Training completion is tracked centrally and is a precondition for retaining production access.

Training content is refreshed at least annually to reflect new typologies, regulator guidance, and observed weaknesses identified through internal quality-review of analyst adjudications. Staff who fail training assessments retake the module before regaining production access.

9. Independent audit and assurance

An independent assessment of the AML and CFT program is performed at least annually by qualified external assessors. Findings are documented with severity ratings, root-cause analysis, and a remediation plan with named owners and target dates. Material findings are reported to the board's risk committee and tracked to closure.

Outcomes of independent assessment, together with regulator examination findings where applicable, drive program improvement. We commit to addressing high and critical findings on a service-level basis aligned with regulator expectations.

Independence is preserved by appointing assessors who do not also provide ongoing AML or CFT services to UnitPay, and by ensuring assessor reports are presented directly to the board's risk committee rather than mediated through executive management.

Assessment scope rotates over a multi-year cycle so that every component of the program (governance, due diligence, screening, monitoring, reporting, training, record-keeping, technology) receives focused review at least once in the cycle. Out-of-cycle assessments are commissioned on material risk events.

10. Cooperation with regulators

UnitPay cooperates fully with Bank Indonesia, OJK, PPATK, and law enforcement under valid legal process. We respond to information requests within the timelines set out in the request or by applicable law, and we maintain dedicated contact channels for each regulator. Inquiries from authorised investigators may be directed to compliance@unitpay.net or through the formal channels established in our regulatory licensing documentation.

Where international cooperation is requested through legitimate mutual legal assistance channels (for example, through Bank Indonesia's bilateral arrangements or PPATK's egmont-group counterpart relationships), UnitPay supports the request consistent with Indonesian law and any applicable cross-border data-protection safeguards described in our UU PDP Personal Data Notice.

Information shared with regulators is the minimum necessary to address the request. Records of regulator interactions are retained as part of the program record so that the cumulative pattern of cooperation is itself auditable.

For day-to-day enquiries, including merchant questions about the reach of this Statement, the AML Compliance Officer can be reached at compliance@unitpay.net during Mon-Fri 09:00-18:00 WIB.

Effective date: 06 May 2026