RISK MANAGEMENT FRAMEWORK

 

EXECUTIVE SUMMARY

DusuPay like any other business faces or likely to face challenges/risks when carrying out its operations. The challenges range from system failures, human error to customer complaints on service delivery to which solutions are timely sought to ensure customer satisfaction, which is key to business survival. The company has mechanisms in place to anticipate, identify and manage risks from time to time.

This Policy makes reference to and borrows from the DusuPay Anti money- laundering policy and aims to put in place adequate controls and systems so as to avoid or limit risks of DusuPay being used to facilitate financial criminal activities or otherwise.

Risk Governance

    1. DusuPay has in place a robust organization structure that ensures that both actual and potential risks are contained to minimize the impact on the business.
    2. At the helm of the structure is the Board of Directors with vast experience in digital finance, Fintech, management and leadership as reflected in the company profile. This level provides oversight to the business including decision making through the different board committee; Finance and Operations that convene on a quarterly basis to which key issues of concern to the business are presented and decisions made.
    3. At the operational level, there is the CEO who provides direction to the day-to-day operations of the business. The CEO along with the Finance Manager authorizes all decisions related to movement of funds to or from the different accounts of the company.
    4. Competent teams under the function of Information Technology, Operations, Finance, Marketing & Sales and Human Resource support the CEO. The teams play different roles in the DusuPay business processes

  2. Risk Identification

    1. Given the uncertainty about when the risks associated with the operations of DusuPay will materialize, it becomes key to have the risks proactively identified for awareness and determination of action plans. The mechanisms for identification are customer feedback/complaints, analysis of business reports, system failure alerts, observation and customer satisfaction surveys. The risks identified are but not limited to the following:
      1. System Failures i.e., downtime, scalability/capacity;
      2. Customer Complaints leading to reputational risk and customer attrition;
      3. Breach of partnership terms and conditions giving rise to Legal Risk;
      4. Non-compliance to regulatory, statutory and best practice requirements;
      5. Fraud through system compromise/hacking;
      6. Third Party Risk i.e., interdependencies (Telecoms, Merchants);
      7. Staff knowledge/skills gaps i.e., reconciliation, settlement;
      8. Competition.

  3. Risk Measurement & Assessment

    1. It is important to have a full picture of the anticipated risks to a business by assessing the probability and impact for better determination of the prevention or recovery strategies. Below is an assessment of the risks to DusuPay based on the Probability and Impact Criteria Matrices that follow;
Risk Description Probability of Occurrence Financial Impact Non-Financial Impact Overall Risk Rating
1. System Failures Customer Attrition
2. Customer Complaints Reputation damage
3. Legal Risk Litigation costs,

Reputation damage
4. Compliance Risk Sanctions/Fines,

Loss of stakeholder confidence
5. Fraud Risk Reputation damage
6. Third Party Risk Loss of stakeholder confidence
7.Staff Knowledge Gaps Human Errors
8. Competition Loss of staff to competition
  1. Probability Assessment Criteria:
Scale Descriptor Probability of occurrence Explanation of Historical basis of probabilities
5 Expected Above 60% This is expected to occur in most circumstances.
4 Highly likely 40-60% This will probably occur.
3 Likely 20-40% This might occur at some time in future.
2 Not Likely 10-20% This could occur but doubtful.
1 Remote 0-10% This may occur but only in exceptional circumstances.

 b) Financial & Non-Financial Impact Assessment Criteria:

For Financial Impact; Consideration is on the percentage/amount of loss on income/returns/profitability or cost implication that is likely to be suffered by the business in the event that the risk materializes as reflected in the table below; 

Scale Descriptor Financial Impact UGX
5 Critical Above 100M
4 High 15M to 100M
3 Moderate 3M-15M
2 Low 500K to 3M
1 Minor <500K

 For Non-Financial Impact; Parameters to consider here may include – impact on business processes & systems, reputation, staff, management and compliance requirements.

c) Overall Risk Rating Criteria:

The matrix below for Overall Risk Rating is adopted. 

Overall Risk Rating Scale Descriptor Description
1 Minor A risk event that, if it occurs will have little or no impact on achieving outcome objectives.
2 Low A risk event that, if it occurs will have a minor impact on achieving desired results, to the extent that one or more stated outcome objectives will fall below goals but well above minimum acceptable levels.
3 Moderate A risk event that, if it occurs will have a moderate impact on achieving desired results, to the extent that one or more stated outcome objectives will fall well below goals but above minimum acceptable levels.
4 High A risk event that, if it occurs will have a significant impact on achieving desired results, to the extent that one or more stated outcome objectives will fall below acceptable levels.
5 Very High A risk event that, if it occurs will have a severe impact on achieving desired results, to the extent that one or more of its critical outcome objectives will not be achieved.

 

  1. Risk Mitigation

    1. The table below reflects the actions that DusuPay will take to address the risks associated with its operations to prevent or minimize the impact upon occurrence.
Description Mitigating Actions By when
System Downtime

Initially DusuPay will be accessing the escrow account through ABSA Bank. In the event that ABSA Bank is not available for prolonged period, this will result in reconciliation problems.

 Assign a dedicated account manager who will proactively provide DusuPay with account statements via email in the event the ABSA Bank platform is down. Framework to be in place before launch.
Customer Complaints

This could result from failure to reconcile transactions in a timely and accurate manner.

 Build a robust customer service module/escalation matrix for handling customer complaints through the Bank’s existing structures. Before Launch
Legal Risk; Partnership roles Partnership roles to be aligned with competitive advantage and motivation. Before Launch
Compliance; Regulatory restrictions All functionalities to be performed in accordance with all regulatory requirements and best practices from both parties Before Launch
Fraud Risk Fraud identification and monitoring mechanisms in place i.e. daily account reconciliation Ongoing
Third Party Risk Contract/Service Level Agreement in place to define the terms and conditions of the engagement. Before Launch
Staff Knowledge Gaps Staff training gaps identified and the necessary training to be provided. Before Launch

  1. Risk Reporting & Monitoring

    1. For visibility on the operations of DusuPay, there are different reports in place both manual and automated. These are prepared according to need at different frequencies i.e. daily, weekly, monthly, quarterly and annually. The reports are available for use by the different stakeholders.

  2. Assumptions

    1. There will be no regulatory, business strategy or policy changes during this project.
    2. Existing retail structure will be sufficient to support this relationship.
    3. The client will keep the contract with ABSA for a period not less than 3 year

  1. Data Protection and Retention

    1. DusuPay as a Data Controller shall comply with its obligations under the Data Protection and Privacy Act, 2019 Laws of Uganda.
    1. DusuPay as a Data Controller shall archive or destroy data after 10 years upon request by the Data Subjects.

  1. Risk Classification

    1. The Risk classification of DusuPay Users will be divided into:
      1. Low Risk; these are by and large nationals of a country who are not PEP’s or on any sanction list of any country or from non-restricted countries.
      1. High Risk; these are foreigners from restricted countries or people that trade with restricted countries or people that deal in high-risk businesses or PEP’s.
      1. The determination of whether or not one is a Low or High Risk will be determined at on-boarding from the additional information gathered from that individual or from the nature of transactions carried out by the DusuPay User.

Terms and Conditions

These Website Terms and Conditions (“Terms”) contained herein on this web page, shall govern your access to and use of this website, including all pages within this website (collectively referred to as this “Website”). These Terms apply in full force and effect to your use of this Website and by using this Website, you expressly accept all terms and conditions contained herein in full. You must not use this Website, if you have any objection to any of these Terms. PLEASE READ AND UNDERSTAND THE TERMS OF AGREEMENT CAREFULLY BEFORE BEING AGREED TO BE BOUND BY ITS TERMS.

Age Restriction

Our website and services are directed to people from the ages of 18 and above. We do not knowingly engage in people younger than the age of 18.

Intellectual Property

Unless otherwise stated, DusuPay and/or its licensors own the intellectual property rights and materials on the website subject to the license below. We do not grant you any right, license, title or interest to any of our intellectual Property rights which you may or may not have access to. You agree to take such actions including any legal or official document or other documents that may be needed to further affirm our intellectual property rights.

License to Use Our Website

We grant you a non-assignable, non-exclusive and revocable license to use the software provided as part of our services in the manner permitted by these Terms. This license grant includes all updates, upgrades, new versions and replacement software for you to use in connection with our services.

The services are protected by copyright, trademark, and other laws of both Uganda and foreign countries. Nothing in this Term gives you a right to use the DusuPay  name or any of DusuPay’s trademarks, logos, domain names, and other distinctive brand features. All right, title and interest in and to the services are and will remain the exclusive property of DusuPay and its licensors.

If you do not comply with all the provisions, then you will be liable for all resulting damages suffered by you, DusuPay and all third parties. Unless otherwise provided by applicable law, you agree not to alter, re-design, reproduce, adapt, display, distribute, translate, disassemble, reverse engineer, or otherwise attempt to create any source code that is derived from the software.

Any feedback, comments, or suggestions you may provide to us and our services is entirely voluntary and we will be free to use such feedback, comments or suggestion as we see fit without any obligation to you.

Who May Use Our Services?

You may use the Services only if you agree to form a binding contract with DusuPay and are not a person barred from receiving services under the laws of the applicable jurisdiction. If you are accepting these Terms and using the Services on behalf of a company, business, or organization, you represent and warrant that you are authorized to do so.

Your DusuPay Account

Your DusuPay Account is an electronic money account which enables you to send and receive electronic payments.

Your DusuPay Account is denominated in a currency of your choice, as selected by you from the available currencies.

You can change the currency of your DusuPay Account once you have attempted to process a payment.

The electronic money held on your DusuPay Account does not expire but it will not earn any interest.

You have the right to withdraw funds from your DusuPay Account at any time. However, you may be required to confirm your identity beforehand. There is no minimum withdrawal amount but the funds on your DusuPay Account must be sufficient to cover any applicable withdrawal fee. You can choose the method of withdrawal when submitting your withdrawal request.

Electronic money accounts are not bank accounts. By accepting these Terms of Use you acknowledge that the UK’s Financial Services Compensation Scheme (FSCS) does not apply to your DusuPay Account. In the unlikely event that we become insolvent, you may lose the electronic money held in your DusuPay Account. However, we strictly adhere to the legal requirements under the European Electronic Money Directive 2009/110/EC and UK national legislation which are designed to ensure the safety and liquidity of funds deposited in electronic money accounts. For further information on how we safeguard customer funds, please visit our Website.

The electronic money on a DusuPay Account belongs to the person or legal entity which is registered as the DusuPay Account holder. No person other than the DusuPay Account holder has any rights in relation to the funds held in a DusuPay Account, except in cases of succession. You may not assign or transfer your DusuPay Account to a third party or otherwise grant any third party a legal or equitable interest over it.

Your DusuPay Account may be subject to upload, payment and withdrawal limits, depending on your country of residence, the verification status of your DusuPay Account and other factors used by us to determine such limits from time to time at our sole discretion.

Opening your DusuPay Account

In order to use our payment services you must first open a Dusupay Account by registering your details on our Website. As part of the signup process you will need to accept these Terms of Use and our Privacy Policy and you must have legal capacity to accept the same. If you order additional services, you may be asked to accept additional terms and conditions.

You may only open one DusuPay Account unless we explicitly approve the opening of additional accounts.

You may only open a DusuPay Account if it is legal to do so in your country of residence. By opening a DusuPay Account you represent and warrant to us that your opening of a DusuPay Account does not violate any laws or regulations applicable to you. You shall indemnify us against any losses we incur in connection with your breach of this section.

All information you provide during the signup process or any time thereafter must be accurate and truthful.

You may only add payment instruments (such as bank accounts, credit cards or debit cards) unless when using Mobile wallets or POS to your DusuPay Account if you are the named holder of that payment instrument. We take any violation of this requirement very seriously and will treat any attempt to add a payment instrument of which you are not the named holder as a fraudulent act.

Within 14 days of the date of opening your DusuPay Account, you may close your DusuPay Account at no cost by contacting Customer Service, however, if you have uploaded funds into your DusuPay Account, you may be required to provide identification documents before being able to withdraw funds. Transactions and fees for transactions undertaken before you close your DusuPay Account (including those transactions that are not revocable and have been initiated but not completed before closure of your DusuPay Account) will not be refunded.

Maintaining your DusuPay Account

You must ensure that the information recorded on your Dusupay Account is always accurate and up to date and we shall not be liable for any loss arising out of your failure to do so. We may ask you at any time to confirm the accuracy of your information or to provide documents or other evidence.

We may contact you by e-mail or in other ways described  with information or notices regarding your DusuPay Account. It is your responsibility to regularly check the proper functioning of your email account or other methods of communication that you have registered with your DusuPay Account and to retrieve and read messages relating to your DusuPay Account promptly. We shall not be liable for any loss arising out of your failure to do so.

Fund uploads, payments received, payments sent and fund withdrawals are displayed in your  account together with the fees charged are displayed on your dashboard. Each transaction is given a unique transaction ID and shown in the transaction history. You should quote this transaction ID when communicating with us about a particular transaction. You should check your DusuPay Account balance and transaction history regularly. You should report any irregularities or clarify any questions you have as soon as possible by contacting Customer Service.

Warranty Disclaimer

DusuPay  will always ensure that the website is available at all times and bug free. however, it is used at your own risk

we provide all materials “as is” with no warranty, express or implied, of any kind. we expressly disclaim any and all warranties and conditions, including any implied warranty or condition of merchantability, fitness for a particular purpose, availability, security, title, and non-infringement of intellectual property rights, without limiting the generality of the foregoing,  dusupay makes no warranty that our website and services will meet your requirements or that our website will remain free from any interruption, bugs, inaccuracies, and error free. your use of our services are at your own risk and you alone will be responsible for any damage that results in loss of data or damage to your computer system. no advice or information, whether oral or written obtained by you from our website or our services will create any warranty or condition not expressly stated.

Limitation of Liability

You agree to the limitation liability clause to the maximum extent permitted by applicable law: DusuPay will in no way be liable for any direct, indirect, incidental punitive, consequential, special or exemplary damages or any damages including damages resulting from revenue loss, profit loss, use, data, goodwill , business interruption or any other intangible losses (whether DusuPay has been advised of the possibility of such damages or not) arising out of DusuPay’s website or services (including, without limitation to inability to use, or arising from the result of use of DusuPay’s website or services) whether such damages are based on warranty, tort, contract, statute or any other legal theory.

some jurisdictions do not allow exclusion of certain warranties or limitations on the scope and duration of such warranties, so the above disclaimers may not apply to you in their entire-ties, but will apply to the maximum extent permitted by applicable law.

Indemnification

You hereby indemnify DusuPay and undertake to keep DusuPay  indemnified against any losses, damages, costs, liabilities and expenses (including without limitation to reasonable legal fees) arising out of any breach by you of any provision of these Terms, or arising out of any claim that you have breached any provision of these Terms.

Breaches of these Terms

Without prejudice to DusuPay’s other rights under these Terms, if you breach these Terms in any way, DusuPay may take such action as DusuPay deems appropriate to deal with the breach, including suspending your access to the website, prohibiting you from accessing the website, blocking computers using your IP address from accessing the website, contacting your internet service provider to request that they block your access to the website and/or bringing court proceedings against you.