KYC, KYB & AML compliance checklist
Zambia KYC, KYB & AML
A practical implementation checklist for financial institutions, payment providers, virtual-asset businesses and other reporting entities operating in Zambia.
- Reviewed
- 15 July 2026
- Version
- 1.1
- control areas
- 11
- implementation checks
- 47
Direct answer
What does the Zambia compliance checklist cover?
The Zambia checklist translates primary KYC, KYB and AML rules into 11 control areas and 47 implementation checks. It identifies the relevant authorities, customer and beneficial-owner controls, reporting duties, recordkeeping expectations and evidence teams should retain.
Key regulatory facts
- Financial intelligence unit
- Financial Intelligence Centre (FIC)
- STR deadline
- Within three working days of forming suspicion
- Currency transaction reporting
- USD 10,000 or more, including linked transactions where applicable
- AML record retention
- At least 10 years from the applicable transaction, occasional transaction or relationship-termination date
- FATF public list
- Not listed in the FATF public statements issued on 19 June 2026
Implementation detail
Zambia compliance requirements and actions
Open each control area to review the requirement, recommended implementation action, evidence to retain and the primary-source citation used by the research team.
01Regulatory perimeter and registrationEstablish the entity's reporting, licensing and supervisory perimeter before launching or changing a product.4 items+
Map the regulatory perimeter
- Implementation action
- Document each legal entity, product, payment flow, delivery channel, customer segment and jurisdiction. Determine whether it is a financial institution, DNFBP, VASP or other reporting entity and identify FIC, BoZ, PACRA and any sector supervisor obligations.
- Evidence to retain
- Approved regulatory-perimeter memo, product inventory and licence register
- Primary citation
- FIC Act No. 46 of 2010, as amended; FIC AML/CFT Framework; BoZ regulatory framework
Maintain licences and registrations
- Implementation action
- Obtain and maintain every applicable BoZ licence, payment-system approval, PACRA registration and FIC reporting-entity registration or notification. Escalate changes in ownership, control, products or operating model before implementation.
- Evidence to retain
- Licences, FIC and supervisor correspondence, renewal calendar and change approvals
- Primary citation
- National Payment Systems Act No. 1 of 2007; Banking and Financial Services Act No. 7 of 2017; FIC Act
Identify the accountable supervisory authority
- Implementation action
- Assign an owner for each regulator and maintain the relevant reporting, inspection, information-request and remediation procedures.
- Evidence to retain
- Regulatory-obligations register, named owners and reporting calendar
- Primary citation
- FIC AML/CFT Framework; FIC General Guidelines 2017
Control outsourcing and agents
- Implementation action
- Risk-assess agents, distributors, outsourced KYC providers and technology vendors before appointment; contract for access, audit, confidentiality, AML/CFT controls and data-protection obligations.
- Evidence to retain
- Third-party due-diligence file, contract clauses and oversight reviews
- Primary citation
- FIC Act, section 23; FIC General Regulations 2022; Data Protection Act No. 3 of 2021
02Governance, compliance officer and policiesPut accountable senior management, an independent compliance function and documented controls in place.4 items+
Designate an eligible compliance officer
- Implementation action
- Designate a compliance officer at senior-management level. Confirm the person meets the statutory experience, integrity, certification and FIC-approval requirements and has access to the books, records and employees needed to perform the role.
- Evidence to retain
- Appointment resolution, eligibility assessment, FIC approval or certification record and access matrix
- Primary citation
- FIC Act, section 23, as amended by Act No. 16 of 2020
Adopt an AML/CFT/CPF programme
- Implementation action
- Maintain board-approved policies covering risk assessment, CDD, beneficial ownership, PEPs, sanctions, monitoring, reporting, record keeping, confidentiality, training and independent testing.
- Evidence to retain
- Board minutes, current policy suite, control-owner register and annual approval record
- Primary citation
- FIC Act, section 23, as amended; FIC General Guidelines 2017
Provide protected internal escalation
- Implementation action
- Require staff to escalate knowledge, suspicion or reasonable grounds for suspicion promptly to the compliance officer, protect whistleblowing channels and preserve decision records.
- Evidence to retain
- Internal-reporting procedure, case log, access controls and staff acknowledgement
- Primary citation
- FIC Act; FIC Guidance Note on STR Reporting 2022
Train and independently test controls
- Implementation action
- Deliver role-based AML/CFT/CPF, sanctions and privacy training, including to agents where relevant, and arrange periodic independent audit or testing of the programme.
- Evidence to retain
- Training curriculum, attendance and assessment records, audit plan and remediation tracker
- Primary citation
- FIC Act, section 23; FIC Guidelines on AML/CFT Policy 2020; FIC Guidelines on Independent Audit 2021
03Enterprise and customer risk assessmentUse a documented risk-based approach to calibrate onboarding, monitoring and review intensity.4 items+
Assess enterprise ML/TF/PF risk
- Implementation action
- Assess inherent and residual risks across customers, products, services, transactions, delivery channels, technologies, agents and geographies. Record controls, residual-risk ratings and remediation deadlines.
- Evidence to retain
- Enterprise risk assessment, methodology, risk register and management approval
- Primary citation
- FIC General Regulations 2022, regs. 8-10; FIC Guidelines on ML/TF/PF Risk Assessment 2021
Risk-assess products before launch
- Implementation action
- Complete AML/CFT/CPF, fraud, sanctions and data-protection assessments before launching a product, new technology, virtual-asset service, agent channel or material change.
- Evidence to retain
- Product-approval checklist, risk assessment and control sign-offs
- Primary citation
- FIC General Regulations 2022; FIC AML/CFT Framework; Data Protection Act No. 3 of 2021
Risk-rate each relationship
- Implementation action
- Assign and explain customer-risk ratings using customer, ownership, PEP, sanctions, product, channel, transaction and geographic factors. Govern overrides and set risk-based refresh dates.
- Evidence to retain
- Scoring model, input data, approval record, override log and review schedule
- Primary citation
- FIC General Regulations 2022, regs. 8-10
Use simplified measures only when justified
- Implementation action
- Apply simplified CDD only after a documented low-risk assessment and never where suspicion, sanctions exposure or another high-risk factor requires stronger controls.
- Evidence to retain
- Low-risk assessment and approved simplified-control configuration
- Primary citation
- FIC General Regulations 2022, reg. 9
04KYC and customer due diligenceIdentify, verify and understand customers and representatives before or when establishing the relationship, subject only to lawful risk-controlled timing exceptions.5 items+
Identify and verify natural persons
- Implementation action
- Obtain reliable identity information and independently verify it using appropriate documents, data or information. Record the verification method, result and any discrepancy resolution.
- Evidence to retain
- KYC checklist, identity documents, verification response and exception record
- Primary citation
- FIC Act, section 18; FIC General Regulations 2022, reg. 7
Identify representatives and authority
- Implementation action
- Identify and verify every person acting for a customer and verify authority through a mandate, resolution, power of attorney or comparable instrument.
- Evidence to retain
- Representative KYC, authority instrument and mandate matrix
- Primary citation
- FIC Act, section 18; FIC General Regulations 2022, reg. 7
Understand purpose and intended activity
- Implementation action
- Record the purpose and intended nature of the relationship, expected products, volumes, transaction values, counterparties, geographies and source of funds appropriate to the risk.
- Evidence to retain
- Customer profile, expected-activity baseline and source-of-funds records
- Primary citation
- FIC Act, section 18; FIC General Regulations 2022, reg. 7
Apply ongoing CDD and refresh triggers
- Implementation action
- Monitor transactions and customer information throughout the relationship, refresh CDD when risk, ownership, activity, documents or circumstances change, and investigate activity inconsistent with the profile.
- Evidence to retain
- Refresh schedule, trigger log, updated KYC pack and monitoring cases
- Primary citation
- FIC Act, sections 18 and 20; FIC General Regulations 2022
Handle failed CDD safely
- Implementation action
- Where required CDD cannot be completed, do not establish or continue the relationship or complete the transaction unless lawfully permitted; consider an STR without tipping off the customer.
- Evidence to retain
- Decline, restriction or exit record and STR decision record
- Primary citation
- FIC Act, sections 18 and 29; FIC General Regulations 2022
05KYB and beneficial ownershipVerify the legal person or arrangement, its authority structure and the natural persons who ultimately own, control or benefit from it.5 items+
Verify legal existence and status
- Implementation action
- Obtain and independently verify incorporation or registration, legal form, registered office, principal business address, directors, tax information and current status from PACRA or the competent registry.
- Evidence to retain
- Registry extract, constitutional documents, tax and licence checks and status verification
- Primary citation
- FIC Act, section 18; Companies Act No. 10 of 2017; PACRA service information
Identify natural-person beneficial owners
- Implementation action
- Trace direct and indirect ownership and control through each layer to the natural persons who ultimately own, control, exercise substantial interest in or receive substantial economic benefit from the customer, including the person on whose behalf a transaction is conducted.
- Evidence to retain
- Ownership chart, beneficial-owner declaration, supporting filings and independent corroboration
- Primary citation
- Companies Act No. 10 of 2017, as amended; PACRA, Who is a beneficial owner?
Assess control beyond shareholding
- Implementation action
- Assess voting rights, appointment and veto rights, trustee and beneficiary powers, contractual arrangements and other material influence. Do not treat a shareholder threshold as the sole beneficial-ownership test.
- Evidence to retain
- Control analysis, shareholder register, agreements and governance documents
- Primary citation
- Companies Act No. 10 of 2017, section 3; PACRA, What is control of a company?
Verify directors and signatories
- Implementation action
- Identify, verify and screen directors, senior managers, authorised signatories and other persons able to instruct the relationship; confirm their authority.
- Evidence to retain
- KYC files, director search, screening results and board resolution
- Primary citation
- FIC Act, section 18; FIC General Regulations 2022, reg. 7
Refresh KYB on material change
- Implementation action
- Monitor for changes in legal status, ownership, control, directors, licences and expected activity, and refresh KYB promptly after a material change, doubt or suspicion.
- Evidence to retain
- Registry-monitoring log, event alerts and updated KYB pack
- Primary citation
- FIC Act, sections 18 and 20; Companies Act No. 10 of 2017
06PEPs, sanctions and targeted financial sanctionsIdentify high-risk relationships and implement immediate controls for relevant sanctions and terrorism/proliferation financing designations.4 items+
Identify PEP exposure
- Implementation action
- Screen customers, beneficial owners, controllers and authorised persons for domestic and foreign PEP exposure, and assess known family members and close associates using a risk-based approach.
- Evidence to retain
- Screening results, relationship map, PEP assessment and review log
- Primary citation
- FIC Act, section 19; FIC PEP Guidance Note
Apply enhanced PEP controls
- Implementation action
- For a high-risk or PEP relationship, obtain appropriate senior-management approval, establish source of wealth and source of funds, and apply enhanced ongoing monitoring.
- Evidence to retain
- Senior approval, source evidence, enhanced-monitoring plan and case reviews
- Primary citation
- FIC Act, section 19; FIC General Regulations 2022, reg. 10; FIC PEP Guidance Note
Screen sanctions and designation lists
- Implementation action
- Screen customers, beneficial owners, controllers, payers, payees and relevant counterparties against applicable UN, domestic and other legally applicable sanctions lists at onboarding, on list updates and before relevant transactions.
- Evidence to retain
- List inventory, screening timestamps, match-adjudication records and alert queue
- Primary citation
- Anti-Terrorism and Non-Proliferation Act No. 30 of 2024; FIC Act, section 23
Freeze, stop and report where required
- Implementation action
- Maintain an escalation process to validate matches, implement required freezing or transaction restrictions without delay, preserve evidence and report or seek directions from the competent authority as the applicable law requires.
- Evidence to retain
- Match case file, freeze or restriction record, authority correspondence and release controls
- Primary citation
- Anti-Terrorism and Non-Proliferation Act No. 30 of 2024; Anti-Terrorism S.I. No. 1 of 2024
07Payments, wire transfers and virtual assetsConfigure payment and virtual-asset controls to preserve required originator and beneficiary information and meet licensing obligations.5 items+
Preserve transfer information
- Implementation action
- For applicable wire transfers and virtual-asset transfers, collect, verify where required and transmit the prescribed originator and beneficiary information; reject, suspend or investigate incomplete information in line with risk and law.
- Evidence to retain
- Payment-message specification, validation rules, rejection queue and sampled transfer records
- Primary citation
- FIC Prescribed Threshold Regulations 2022, reg. 6; FIC General Regulations 2022
Configure prescribed thresholds
- Implementation action
- Implement the Schedule to the Prescribed Threshold Regulations for customer identification, wire or virtual-asset transfer, currency transaction and border-reporting controls. Aggregate linked transactions where the law requires and maintain a documented FX-conversion method.
- Evidence to retain
- Threshold matrix, system configuration, aggregation logic and periodic control testing
- Primary citation
- FIC Prescribed Threshold Regulations 2022, regs. 5-8 and Schedule
Report currency transactions
- Implementation action
- Submit a currency transaction report for a cash or monetary transaction of USD 10,000 or more, including linked transactions where applicable, within three working days of the transaction using the prescribed FIC channel.
- Evidence to retain
- Threshold alert, linked-transaction analysis, CTR and submission receipt
- Primary citation
- FIC Prescribed Threshold Regulations 2022, reg. 7 and Schedule; FIC reporting guidance
Meet BoZ payment-system conditions
- Implementation action
- For a payment-system provider or participant, maintain the applicable BoZ approval or licence, KYC/client-verification procedures, AML training and agent oversight required for the service.
- Evidence to retain
- BoZ licence or approval, payment-system compliance assessment and agent-training records
- Primary citation
- National Payment Systems Act No. 1 of 2007; BoZ payment-system licensing requirements
Apply VASP controls where relevant
- Implementation action
- Treat virtual-asset activity as a regulated-risk area: confirm current BoZ and FIC requirements, complete licensing or registration steps, and implement the applicable CDD, travel-rule, monitoring and reporting controls before operating.
- Evidence to retain
- VASP legal assessment, regulator correspondence, transfer-control design and approval record
- Primary citation
- FIC General Regulations 2022; FIC VASP Sector Guidelines 2022; BoZ VASP public notices
08Transaction monitoring and suspicious reportingDetect unusual activity, investigate promptly and report suspicion without tipping off.4 items+
Monitor expected versus actual activity
- Implementation action
- Use risk-based manual or automated scenarios that consider unusual cash use, structuring, rapid movement of funds, changes in customer behaviour, high-risk geographies, fraud indicators and virtual-asset exposure.
- Evidence to retain
- Scenario inventory, tuning rationale, alert cases and quality-assurance results
- Primary citation
- FIC Act, sections 20 and 23; FIC General Guidelines 2017
File STRs within the statutory deadline
- Implementation action
- Where there are reasonable grounds to suspect proceeds of crime, terrorism, terrorist financing or proliferation financing, take reasonable measures to ascertain the transaction purpose and file an STR with FIC within three working days of forming the suspicion. Apply the same discipline to attempted transactions where required.
- Evidence to retain
- Suspicion timestamp, investigation record, compliance-officer decision, STR and FIC receipt
- Primary citation
- FIC Act, sections 29 and 45; FIC Guidance Note on STR Reporting 2022
Use the prescribed reporting channel and retain case evidence
- Implementation action
- Use the FIC online reporting portal or another prescribed submission route, include complete supporting information and retain reports, working papers and follow-up responses securely.
- Evidence to retain
- Portal role register, submission receipt, report copy and supporting case file
- Primary citation
- FIC reporting page; FIC Guidance Note on STR Reporting 2022
Prevent tipping off
- Implementation action
- Restrict access to internal alerts, STR decisions and FIC correspondence. Do not disclose to a customer or unauthorised person that an STR, inquiry or investigation exists.
- Evidence to retain
- Role-based access controls, confidentiality procedure and training records
- Primary citation
- FIC Act, section 34; FIC Guidance Note on STR Reporting 2022
09Record keeping and regulatory cooperationRetain complete, reconstructable records and respond promptly to lawful FIC and supervisory requests.4 items+
Keep AML records for at least 10 years
- Implementation action
- Retain CDD information, account files, business correspondence, transaction records and analysis results for at least 10 years following relationship termination or the occasional transaction, and retain transaction records for at least 10 years following completion.
- Evidence to retain
- Retention schedule, immutable archive settings, retrieval test and destruction approvals
- Primary citation
- FIC Act, section 22, as amended; Zambia Mutual Evaluation Report 2019
Maintain reconstructable transaction records
- Implementation action
- Keep records sufficient to reconstruct individual domestic and cross-border transactions, including parties, dates, amounts, currencies, instruments and relevant instructions.
- Evidence to retain
- Transaction schema, archive sample and reconstruction test
- Primary citation
- FIC Act, section 22; FIC Prescribed Threshold Regulations 2022
Respond to lawful information requests
- Implementation action
- Maintain a controlled process to receive, validate, search, approve and respond to FIC and other competent-authority requests within the required time, preserving a complete audit trail.
- Evidence to retain
- Request log, legal-review record, production package and response receipt
- Primary citation
- FIC Act; FIC General Regulations 2022, regs. 4-5
Preserve records subject to investigation
- Implementation action
- Suspend normal deletion for records subject to an STR, freeze, investigation, legal hold or authority request until release is authorised.
- Evidence to retain
- Legal-hold procedure, preservation notices and release approvals
- Primary citation
- FIC Act, sections 22 and 25; FIC General Regulations 2022
10Data protection and privacyProcess KYC, KYB, screening and monitoring data lawfully, securely and only for defined purposes.4 items+
Document lawful and transparent processing
- Implementation action
- Map personal-data processing for onboarding, screening, monitoring, reporting, retention and sharing; document the legal basis, purpose, data categories, recipients and retention period, and provide required privacy information.
- Evidence to retain
- Record of processing activities, privacy notices and legal-basis assessment
- Primary citation
- Data Protection Act No. 3 of 2021; Data Protection Commission guidance
Apply data minimisation and security controls
- Implementation action
- Collect only data needed for the compliance purpose and apply access control, encryption, logging, secure transmission, vendor controls and tested incident-response procedures.
- Evidence to retain
- Data inventory, access reviews, security architecture, vendor assessment and incident playbook
- Primary citation
- Data Protection Act No. 3 of 2021; Data Protection Regulations; Data Protection Code of Conduct 2025
Govern international transfers and processors
- Implementation action
- Assess cross-border transfers and outsourced processing before use, apply the required safeguards and written processor terms, and ensure third parties can support lawful data-subject and regulatory requests.
- Evidence to retain
- Transfer assessment, processor agreement, vendor due diligence and data-flow map
- Primary citation
- Data Protection Act No. 3 of 2021; Data Protection Regulations
Reconcile privacy with AML retention
- Implementation action
- Align deletion and data-subject request workflows with mandatory AML retention, legal holds, confidentiality and anti-tipping-off obligations; document any lawful restriction or deferred response.
- Evidence to retain
- Retention matrix, request-handling procedure and legal-review log
- Primary citation
- Data Protection Act No. 3 of 2021; FIC Act, sections 22 and 34
11Testing, assurance and continuous improvementMake compliance measurable through testing, management information and timely remediation.4 items+
Test critical controls
- Implementation action
- Periodically test onboarding, identity verification, beneficial ownership, PEP and sanctions screening, thresholds, monitoring scenarios, report deadlines, record retrieval and access controls.
- Evidence to retain
- Control-test plan, sample results, defects and remediation tracker
- Primary citation
- FIC Guidelines on Independent Audit 2021; FIC Act, section 23
Report meaningful management information
- Implementation action
- Provide senior management and the board with risk ratings, overdue reviews, screening alerts, STR and CTR timeliness, threshold exceptions, training completion, audit findings and remediation status.
- Evidence to retain
- Compliance dashboard, committee minutes and action log
- Primary citation
- FIC Act, section 23; FIC Guidelines on AML/CFT Policy 2020
Track regulatory and list changes
- Implementation action
- Monitor FIC, BoZ, PACRA, Data Protection Commission and FATF publications; assess impact, update controls and retain evidence of implementation.
- Evidence to retain
- Regulatory-change register, impact assessments and updated procedures
- Primary citation
- FIC legislation and reporting pages; BoZ regulatory framework; FATF public statements
Remediate findings to closure
- Implementation action
- Assign each audit, inspection, incident or control failure to an accountable owner, set a risk-based deadline, validate remediation and report overdue issues to senior management.
- Evidence to retain
- Issue register, remediation evidence, validation results and management escalation
- Primary citation
- FIC Guidelines on Independent Audit 2021; FIC AML/CFT Framework

11 control areas and 47 implementation checks, with direct regulatory sources.
Download the Zambia KYC, KYB & AML checklist
Share your work details for immediate access to the source-linked Zambia implementation checklist. Regulatory review date: 15 July 2026.
Get the PDF immediately
Submit your details and the download starts automatically
Reviewed and source-linked
Version 1.1, reviewed 15 July 2026
Trusted by leading compliance teams
Primary-source register
22 sources used for this checklist
Use these links to verify the underlying legislation, regulator guidance, reporting procedures and international status statements.
- 01Financial Intelligence Centre Zambia · Legislation library, including the FIC Act 2010, Amendment Acts 4 of 2016 and 16 of 2020, S.I. 53 and 54 of 2022, and anti-terrorism legislation
- 02Financial Intelligence Centre Zambia · Financial Intelligence Centre (Amendment) Act No. 16 of 2020
- 03Financial Intelligence Centre Zambia · Financial Intelligence Centre (General) Regulations, 2022, S.I. No. 54 of 2022
- 04Financial Intelligence Centre Zambia · Financial Intelligence Centre (Prescribed Threshold) Regulations, 2022, S.I. No. 53 of 2022
- 05Financial Intelligence Centre Zambia · AML/CFT framework
- 06Financial Intelligence Centre Zambia · Reporting guidance and sector-specific reporting materials
- 07Financial Intelligence Centre Zambia · AML/CFT General Guidelines 2017
- 08Financial Intelligence Centre Zambia · Guidance Note on Suspicious Transaction Reporting 2022
- 09Financial Intelligence Centre Zambia · VASP Sector Guidelines 2022
- 10Financial Intelligence Centre Zambia · Guidelines on AML/CFT Policy 2020
- 11Financial Intelligence Centre Zambia · Guidelines on AML/CTPF Independent Audit 2021
- 12Financial Intelligence Centre Zambia · Guidelines on ML/TF/PF Risk Assessment 2021
- 13Bank of Zambia · Regulatory framework and related financial-sector legislation
- 14Bank of Zambia · Payment-system licensing requirements
- 15Patents and Companies Registration Agency · Beneficial-owner definition under the Companies Act
- 16Patents and Companies Registration Agency · Control of a company under the Companies Act
- 17Patents and Companies Registration Agency · Annual-return compliance notice under the Companies Act
- 18Data Protection Commission Zambia · Data Protection Act No. 3 of 2021
- 19Data Protection Commission Zambia · Data protection regulations and 2025 code materials
- 20Financial Action Task Force · Jurisdictions under Increased Monitoring, 19 June 2026
- 21Financial Action Task Force · High-Risk Jurisdictions subject to a Call for Action, 19 June 2026
- 22Eastern and Southern Africa Anti-Money Laundering Group · Zambia Mutual Evaluation Report, June 2019
Direct answers
Zambia KYC, KYB and AML questions
Who is Zambia's financial intelligence unit?+
The Financial Intelligence Centre is Zambia's financial intelligence unit and the statutory agency that receives, analyses and disseminates financial intelligence.
When must a suspicious transaction report be filed in Zambia?+
A reporting entity should file an STR with FIC within three working days of forming a suspicion. The FIC guidance applies this to reasonable grounds to suspect proceeds of crime, terrorism, terrorist financing or proliferation financing.
What is Zambia's currency transaction reporting threshold?+
The 2022 prescribed-threshold framework requires reporting for a cash or monetary transaction of USD 10,000 or more, including linked transactions where applicable. Firms should implement the full Schedule and sector-specific requirements.
How long must AML records be retained in Zambia?+
The FIC Act requires relevant CDD, account, correspondence, transaction and analysis records to be kept for at least 10 years, measured from the applicable transaction or relationship-termination point.
What is the beneficial-owner test for a Zambian company?+
A beneficial owner is a natural person who ultimately owns, controls, exercises substantial interest in, or receives substantial economic benefit from a corporate, or exercises ultimate and effective control. The assessment is not limited to a shareholding percentage.
Is Zambia on the FATF grey list?+
Zambia is not listed in either FATF public statement issued on 19 June 2026: Jurisdictions under Increased Monitoring or High-Risk Jurisdictions subject to a Call for Action. Firms should still monitor every new FATF statement and apply risk-based controls to all relevant geographies.
Research and review method
VOVE ID Compliance Research maps the regulatory perimeter, translates obligations into operational controls, links each material claim to a source and records the date and version of every review.
VOVE ID Compliance Research · Reviewed 15 July 2026 · Version 1.1
Operational guidance, not legal advice. Requirements vary by reporting-entity category, licence, product and supervisor. Confirm the current consolidated legislation, FIC directions, BoZ conditions, PACRA filings and data-protection instruments before implementation.