Flurzi Commit Legal

Compliance Framework

Back to Home
FLURZI COMMIT
Compliance and Risk Governance Framework
Flurzi Mobile App Limited
Company No. 16640198
16 Honiley Way, Coventry, CV2 1SN, United Kingdom
Version 1.0 | Effective Date: March 4, 2026

EXECUTIVE SUMMARY
This document constitutes the Compliance and Risk Governance Framework (the "Framework") of Flurzi Mobile App Limited (the "Company"), the operator of the Flurzi Commit structured financial commitment platform. It has been prepared for the purpose of providing banking partners, payment processing institutions, and institutional counterparties with a comprehensive and transparent account of the Company's regulatory positioning, operational controls, financial governance arrangements, risk management architecture, and incident response capabilities.

The Framework addresses the full lifecycle of operational and compliance risk applicable to the Flurzi Commit platform, from member onboarding and payment processing through to Plan completion, termination, and any incident requiring escalation. It is designed to demonstrate that the Company operates with institutional-grade controls commensurate with the nature of the service it provides.

This Framework should be read in conjunction with the Company's Terms and Conditions of Service and its Privacy Policy, each of which forms part of the Company's overarching governance documentation.

TABLE OF CONTENTS
1.  Executive Summary
2.  Regulatory Positioning and Jurisdictional Analysis
3.  Service Architecture and Operational Model
4.  Payment Infrastructure and Processor Relationships
5.  Fund Handling, Internal Ledger, and Financial Controls
6.  Member Risk Thresholds and Operational Triggers
7.  Anti-Money Laundering and Financial Crime Controls
8.  Fraud Prevention and Detection Framework
9.  Data Protection and Cybersecurity Governance
10. Internal Governance Structure and Oversight
11. Incident Classification and Response Framework
12. Expansion Regulatory Review Model
13. Policy Review and Update Schedule

2. REGULATORY POSITIONING AND JURISDICTIONAL ANALYSIS
2.1 Legal Entity and Authorisation Status
2.1.1  Flurzi Mobile App Limited is a private limited company incorporated in England and Wales under Company Number 16640198. The Company's registered office is at 16 Honiley Way, Coventry, CV2 1SN.
2.1.2  The Company is not authorised or regulated by the Financial Conduct Authority (FCA) in respect of its current activities. It does not hold FCA authorisation as a payment institution, electronic money institution, consumer credit provider, or investment services firm. The Company is not registered with the FCA under the Payment Services Regulations 2017 or the Electronic Money Regulations 2011.
2.1.3  The Company is registered with the Information Commissioner's Office (ICO) as a data controller. ICO registration number: [INSERT ICO REGISTRATION NUMBER].
2.2 Regulatory Classification Analysis
2.2.1  The Company has conducted a legal and regulatory classification analysis of the Flurzi Commit service to assess whether any element of the service constitutes a regulated activity under applicable UK financial services law. The key conclusions of this analysis are as follows:
2.2.2  Deposit-taking: The Company does not accept deposits within the meaning of Article 5 of the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 (RAO). Payments made by Members under Commit Plans are not repayable on demand in the manner characteristic of a deposit relationship. The legal relationship between the Company and Members is that of service provider and consumer, not banker and depositor.
2.2.3  Electronic Money Issuance: The Company does not issue electronic money within the meaning of the Electronic Money Regulations 2011. The Company does not issue monetary value stored electronically against payment for use in making transactions. Contribution Balances tracked in the Internal Ledger are accounting records, not e-money balances.
2.2.4  Payment Services: The Company facilitates the collection of payments from Members through its Payment Processors (Stripe and GoCardless), both of which are independently authorised as regulated payment institutions. The Company itself does not execute payment transactions, provide payment accounts, or conduct money remittance. The Company's interaction with the payment process is limited to instructing authorised Payment Processors to collect pre-authorised amounts.
2.2.5  Consumer Credit: The Company does not provide credit, advance funds to Members, or defer the collection of payments in a manner that would constitute the provision of consumer credit under the Consumer Credit Act 1974. No credit agreement exists between the Company and any Member.
2.2.6  Investment Services: The Company does not manage investments, provide investment advice, or operate a collective investment scheme. Commit Plans are not financial instruments. No element of the Service constitutes a MiFID-regulated investment activity under retained UK law.
2.3 Consumer Protection Obligations
2.3.1  Notwithstanding the Company's position that it does not conduct regulated financial services activities, the Company acknowledges that it provides a consumer-facing service and is subject to the full range of applicable consumer protection legislation, including: the Consumer Rights Act 2015; the Consumer Protection from Unfair Trading Regulations 2008; the Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013; the Unfair Terms in Consumer Contracts Regulations (as superseded by the Consumer Rights Act 2015 but referenced for interpretive purposes); and all applicable provisions of the UK GDPR and the Data Protection Act 2018.
2.3.2  The Company has designed its Terms and Conditions, fee structures, and operational procedures with consumer protection obligations at the forefront, including the provision of clear and prominent fee disclosure prior to Plan establishment, and fair and transparent complaints handling procedures.
2.4 Regulatory Watch
2.4.1  The Company actively monitors developments in UK financial services regulation, including any publications by the FCA, HM Treasury, the Payment Systems Regulator (PSR), and the Bank of England that may have implications for the regulatory classification of the Service. The Company has engaged (or intends to engage) specialist legal counsel to provide ongoing regulatory monitoring advice.
2.4.2  In the event that any regulatory development requires the Company to seek authorisation, registration, or approval from any competent authority in respect of its activities, the Company commits to taking prompt steps to achieve compliance with such requirements.

3. SERVICE ARCHITECTURE AND OPERATIONAL MODEL
3.1 Platform Description
3.1.1  Flurzi Commit is a structured financial commitment software platform that enables individual Members to establish periodic payment Plans over fixed terms of twelve (12) or twenty-four (24) calendar months. The Platform provides Members with tools to manage their Plans, monitor their payment history, and interact with the Company's customer support function.
3.1.2  The core value proposition of the Service is the facilitation of structured financial discipline through voluntary, contractually binding payment commitments. The Service is designed to assist Members in achieving personal financial goals by maintaining a regular payment habit over a defined period.
3.2 Operational Flow
3.2.1  The operational lifecycle of a Commit Plan follows the sequence described below:
3.2.2  Onboarding: the prospective Member registers for an Account on the Platform, provides identity and contact details, accepts the Terms and Conditions and Privacy Policy, and completes any required identity verification steps.
3.2.3  Plan Establishment: the Member selects the Plan term (12 or 24 months), the payment amount, and the payment frequency. The Member authorises the Company to collect payments in accordance with the selected parameters. A standing payment authorisation (CPA or Direct Debit mandate) is established through the relevant Payment Processor.
3.2.4  Payment Collection: on each scheduled payment date, the Company instructs the relevant Payment Processor to collect the scheduled amount from the Member's nominated payment method. Successful collections are recorded on the Internal Ledger.
3.2.5  Exception Management: failed, Late, or Missed Payments are identified and managed in accordance with the exception thresholds described in Section 6 of this Framework. Automated notifications are sent to Members upon payment exceptions being identified.
3.2.6  Completion or Termination: upon Completion of the Plan Term, the Completion Fee is collected and the Plan is closed. Upon Early Termination (whether voluntary or Company-initiated), the Early Termination Fee is collected and the Plan is closed.
3.3 Technical Infrastructure
3.3.1  The Platform is hosted on [INSERT CLOUD HOSTING PROVIDER], which provides enterprise-grade infrastructure with high availability, automated backups, and disaster recovery capabilities. Infrastructure is located in [INSERT DATA CENTRE LOCATION], within the United Kingdom (or within the EEA under appropriate data transfer mechanisms).
3.3.2  The Platform employs a modular software architecture that separates core service components, including authentication, payment instruction management, ledger management, notification services, and reporting, into distinct functional layers with appropriate access controls between them.

4. PAYMENT INFRASTRUCTURE AND PROCESSOR RELATIONSHIPS
4.1 Payment Processor Relationships
4.1.1  The Company has established commercial and contractual relationships with two authorised Payment Processors for the collection of payments from Members:
4.1.2  Stripe Payments Europe, Ltd: Stripe is used as the primary payment processor for card-based transactions and other electronic payment methods. Stripe is authorised and regulated by the Central Bank of Ireland as an Electronic Money Institution and by the FCA as an Electronic Money Institution operating under the Temporary Permission Regime in the United Kingdom. The Company's relationship with Stripe is governed by Stripe's Connected Account Agreement and Stripe's Services Agreement, together with a data processing agreement entered into pursuant to Article 28 of the UK GDPR.
4.1.3  GoCardless Ltd: GoCardless is used for Direct Debit-based transactions. GoCardless is authorised by the FCA as a payment institution under the Payment Services Regulations 2017. The Company's relationship with GoCardless is governed by GoCardless's Partner Agreement and a data processing agreement entered into pursuant to Article 28 of the UK GDPR.
4.2 Payment Authorisation Structure
4.2.1  All scheduled periodic payments under Commit Plans are collected under pre-authorised standing payment arrangements. The specific authorisation mechanism depends on the Member's nominated payment method:
4.2.2  Card Payments: Members who nominate a debit or credit card provide a Continuous Payment Authority (CPA) via Stripe. The CPA authorises the Company to instruct Stripe to collect scheduled payments without requiring additional authorisation from the Member for each transaction.
4.2.3  Direct Debit: Members who nominate a UK bank account provide a Direct Debit mandate via GoCardless. The mandate is established in accordance with the Bacs Direct Debit Scheme rules and authorises the Company to instruct GoCardless to collect scheduled payments from the Member's bank account.
4.2.4  All payment authorisations are obtained at the time of Plan establishment and are recorded by the relevant Payment Processor. The Company retains evidence of each authorisation in its records.
4.3 PCI DSS Compliance
4.3.1  The Company processes payment card data in compliance with the Payment Card Industry Data Security Standard (PCI DSS). The Company's architecture is designed to minimise its PCI DSS scope by ensuring that cardholder data is handled exclusively by Stripe, which maintains PCI DSS Level 1 certification. Full card numbers, expiry dates, and CVV codes are not stored in the Company's systems.
4.3.2  The Company maintains its PCI DSS compliance status through annual self-assessment and, where required by applicable card scheme rules, through engagement with a Qualified Security Assessor (QSA).
4.4 Payment Processor Due Diligence
4.4.1  Prior to onboarding each Payment Processor, the Company conducted due diligence to verify the processor's regulatory authorisation status, financial stability, data security standards, and compliance track record. This due diligence is refreshed on an annual basis.
4.4.2  The Company monitors all payment processor service agreements for material changes that may affect the Company's operational or compliance obligations and will re-evaluate its processor relationships if material adverse changes are identified.

5. FUND HANDLING, INTERNAL LEDGER, AND FINANCIAL CONTROLS
5.1 Fund Handling Architecture
5.1.1  All Member payments collected under Commit Plans are received into the Company's primary Stripe account. The Company does not operate separate client money accounts in respect of Member contributions. It is important to note that this arrangement does not constitute regulated client money handling, as the Company does not hold regulated client assets, is not a regulated payment institution, and the payments represent fees and contributions under service agreements rather than funds held on trust for clients.
5.1.2  The Company acknowledges that because Member contribution payments and Company revenue are received into the same Stripe infrastructure, the maintenance of a rigorous Internal Ledger is essential to ensure accurate attribution, reporting, and reconciliation of each Member's contributions.
5.2 Internal Ledger System
5.2.1  The Company maintains an Internal Ledger that records and tracks, for each individual Member and each individual Active Plan: (a) the date and amount of each scheduled payment; (b) the outcome of each payment collection attempt (successful, Late, or Missed); (c) the cumulative Contribution Balance from Plan inception; (d) the applicable fee basis (Completion Fee or Early Termination Fee) as it accrues; and (e) the outstanding balance of any unpaid fees.
5.2.2  The Internal Ledger provides the definitive basis for fee calculation upon Plan Completion or Early Termination, for the production of Member Account statements, and for internal financial reporting and reconciliation.
5.2.3  The Internal Ledger is maintained within the Company's core application database, with appropriate access controls restricting modification rights to authorised system processes and designated personnel.
5.3 Reconciliation Procedures
5.3.1  The Company performs reconciliation of Internal Ledger records against payment data from the Payment Processors on a regular basis and in any event not less than weekly. The reconciliation process involves: (a) downloading transaction reports from Stripe and GoCardless for the relevant period; (b) matching each received payment against the corresponding Internal Ledger entry; (c) identifying and investigating any discrepancies, including unmatched payments, incorrect amounts, or timing differences; and (d) recording and resolving all discrepancies within a defined resolution timeframe.
5.3.2  Reconciliation results are recorded in a reconciliation log that is reviewed by the Company's designated finance officer or equivalent. Material discrepancies that cannot be resolved within five (5) business days are escalated to senior management.
5.4 Financial Record-Keeping
5.4.1  The Company maintains financial records in accordance with the requirements of the Companies Act 2006 and applicable HMRC guidelines. All financial records are retained for a minimum period of seven (7) years from the end of the relevant financial year.
5.4.2  The Company prepares annual statutory accounts in accordance with UK Generally Accepted Accounting Practice (UK GAAP) or International Financial Reporting Standards (IFRS), as applicable, and submits these to Companies House in accordance with its filing obligations.
5.5 Revenue Recognition and Fee Accounting
5.5.1  The Company recognises revenue in respect of the Completion Fee and Early Termination Fee upon the successful collection of each fee from the relevant Member. Revenue in respect of any other service charges is recognised in accordance with the Company's revenue recognition policy, which conforms to applicable UK accounting standards.
5.5.2  The Company maintains clear records distinguishing: (a) fee income earned (Completion Fees and Early Termination Fees collected); (b) outstanding accrued fee entitlements (fees earned but not yet collected); and (c) Member Contribution Balances (cumulative payments made by Members under Active Plans).

6. MEMBER RISK THRESHOLDS AND OPERATIONAL TRIGGERS
6.1 Overview of Risk Threshold Architecture
6.1.1  The Flurzi Commit platform incorporates a tiered risk threshold architecture designed to identify Members experiencing payment difficulties at an early stage, to prompt remediation where possible, and to initiate proportionate operational responses where payment failures persist. The architecture is designed to balance the Company's commercial interests with fair treatment of Members and compliance with applicable consumer protection standards.
6.2 Payment Exception Definitions and Thresholds

Exception Type
Definition
Operational Response
Late Payment
Payment not collected on due date but recovered within 7 calendar days.
Automated notification to Member. No additional fee charged. Recorded on Account. Considered in Plan Cap elevation eligibility assessment.
Missed Payment
Payment not collected on due date and not recovered within 7 calendar days.
Automated notification to Member. Payment remains outstanding and is scheduled for retry. Recorded on Account. Third Missed Payment triggers Suspension consideration.
Suspension Trigger
Accrual of 3 Missed Payments on a single Plan.
Plan and/or Account Suspension may be imposed. Member notified with cure instructions. Payments may be paused or continued at Company discretion.
Cancellation Trigger
30 consecutive days of unresolved Missed Payment(s) on a Plan.
Cancellation notice issued with 14-day cure period. If unresolved, Plan Cancelled. Early Termination Fee charged.

6.3 Plan Cap Risk Controls
6.3.1  The Plan Cap architecture serves a dual purpose: it limits the maximum concurrent financial exposure of individual Members and it controls the Company's operational and credit risk. By capping concurrent Plans at five (5) for standard Members, the Company ensures that the aggregate financial commitment undertaken by any one Member remains within reasonable limits relative to typical individual payment capacity.
6.3.2  The Elevated Plan Cap of ten (10) concurrent Active Plans is available only to Members who have demonstrated a sustained record of successful Plan management, as evidenced by: (a) Completion of at least 50% of Active Plans; and (b) no more than two (2) Late Payments in total across all Plans. This gatekeeping mechanism is designed to ensure that Plan Cap elevation is granted only to Members who have demonstrated the financial discipline and capacity to manage an increased number of concurrent commitments.
6.3.3  The Plan Cap eligibility assessment is conducted at the time of each elevation request and is based on live Account data drawn from the Internal Ledger. Elevation decisions are documented and stored for audit purposes.

7. ANTI-MONEY LAUNDERING AND FINANCIAL CRIME CONTROLS
7.1 AML Risk Assessment
7.1.1  The Company has conducted an anti-money laundering (AML) risk assessment of the Flurzi Commit service. The principal findings of this assessment are as follows:
7.1.2  Product Risk: the Commit Plan product is a structured periodic payment service with a fixed term and a pre-agreed payment amount. The product does not involve the movement of large sums, does not involve cash transactions, and does not involve third-party payments. The product's structure limits its attractiveness as a vehicle for money laundering. The Company's overall AML product risk rating is assessed as low to medium.
7.1.3  Customer Risk: the Service is available only to UK-resident individuals over the age of 18 with a verified UK bank account or payment card. This customer profile limits exposure to high-risk jurisdictions and customer categories. The Company does not currently serve business customers, politically exposed persons (PEPs), or customers from high-risk jurisdictions designated by the Financial Action Task Force (FATF).
7.1.4  Channel Risk: the Service is delivered exclusively through digital channels, which introduces a degree of identity verification risk that is mitigated through the Company's identity verification procedures.
7.2 Know Your Customer Procedures
7.2.1  The Company applies Know Your Customer (KYC) procedures at the point of Account registration. At minimum, KYC procedures include: (a) collection of full legal name and date of birth; (b) collection of residential address; (c) verification of identity through a combination of document-based verification (government-issued identity document) and electronic identity verification using a third-party identity verification provider; and (d) sanctions screening against applicable UK and international sanctions lists.
7.2.2  The Company operates a risk-based approach to KYC, under which enhanced due diligence may be applied to higher-risk customers or accounts, including where the Company identifies unusual account activity or payment patterns inconsistent with the Member's profile.
7.3 Transaction Monitoring
7.3.1  The Company implements transaction monitoring procedures designed to identify unusual or suspicious payment activity in connection with the Platform. Monitoring rules are reviewed and updated on a regular basis to reflect emerging money laundering and fraud typologies.
7.3.2  Alerts generated by transaction monitoring are reviewed by a designated compliance officer or equivalent, who shall determine the appropriate response, including whether a Suspicious Activity Report (SAR) is required under the Proceeds of Crime Act 2002.
7.4 Suspicious Activity Reporting
7.4.1  The Company maintains a Suspicious Activity Reporting policy that sets out the procedures for identifying, investigating, and reporting suspicious activity to the National Crime Agency (NCA) via the Suspicious Activity Reports Online system, in accordance with the Company's obligations under Part 7 of the Proceeds of Crime Act 2002 and the Terrorism Act 2000.
7.4.2  Employees with access to Account and transaction data receive training on identifying and reporting suspicious activity. The Company's nominated Money Laundering Reporting Officer (MLRO) is responsible for reviewing internal disclosures and determining whether an external SAR is warranted.

8. FRAUD PREVENTION AND DETECTION FRAMEWORK
8.1 Fraud Risk Categories
8.1.1  The Company has identified the following principal categories of fraud risk applicable to the Platform:
8.1.2  Identity Fraud: the risk that a person registers for an Account using stolen or fabricated identity credentials.
8.1.3  Payment Fraud: the risk that a Member uses stolen or unauthorised payment credentials (card details or bank account details) to fund a Commit Plan.
8.1.4  Chargeback Fraud: the risk that a Member makes scheduled payments under a Commit Plan and then initiates fraudulent chargebacks to recover those payments while retaining the benefit of any accumulated contributions.
8.1.5  Account Takeover: the risk that a third party gains unauthorised access to a Member's Account and uses it for fraudulent purposes.
8.1.6  Structural Exploitation: the risk that a Member or group of Members attempts to exploit the Plan mechanics or fee structures in an unintended manner for financial gain.
8.2 Preventive Controls
8.2.1  The Company implements the following preventive controls to mitigate fraud risk:
8.2.2  Identity Verification: all Account registrations are subject to mandatory identity verification using a combination of document verification and electronic identity checks, as described in Section 7.2.
8.2.3  Device Fingerprinting: the Platform employs device fingerprinting to identify multiple Accounts registered from the same device, which may indicate attempted duplicate Account creation.
8.2.4  IP Address Monitoring: login and registration events are monitored for suspicious IP address patterns, including high-velocity registration events, logins from known Tor exit nodes or VPN services, and logins from locations inconsistent with the Member's registered address.
8.2.5  Payment Method Velocity Checks: checks are applied to detect the use of the same payment method across multiple Accounts or the rapid addition of new payment methods, which may indicate payment credential testing or fraud.
8.2.6  Multi-Factor Authentication: Members are offered, and where risk indicators are present required to use, multi-factor authentication to secure their Account.
8.3 Detective Controls
8.3.1  The Company implements the following detective controls:
8.3.2  Transaction Monitoring Rules: automated monitoring rules flag transactions and account behaviours that exhibit known fraud indicators, such as payment patterns inconsistent with the Member's history, unusual payment method changes, or high chargeback rates.
8.3.3  Chargeback Rate Monitoring: the Company monitors its chargeback rate across both Stripe and GoCardless. A sustained elevation in chargeback rates triggers a formal review of the root causes and enhancement of preventive controls where appropriate.
8.3.4  Anomaly Detection: the Company employs anomaly detection analytics to identify account or payment behaviours that deviate materially from expected patterns.
8.4 Response Procedures
8.4.1  Where fraud is suspected or detected, the Company's response procedure includes: (a) immediate suspension of the affected Account(s) pending investigation; (b) notification to the relevant Payment Processor(s) to flag the account or transaction; (c) investigation by the designated compliance or fraud officer; (d) referral to law enforcement authorities where appropriate; (e) submission of a Suspicious Activity Report to the NCA where required; and (f) documentation of all actions taken in the Company's fraud incident log.

9. DATA PROTECTION AND CYBERSECURITY GOVERNANCE
9.1 Data Protection Governance
9.1.1  The Company's data protection governance arrangements are set out in detail in the Company's Privacy Policy. From a governance perspective, the key elements of the data protection framework include: designation of a responsible person within the organisation for data protection compliance; maintenance of a Record of Processing Activities (ROPA) in accordance with Article 30 of the UK GDPR; implementation of a data breach notification procedure in accordance with Articles 33 and 34 of the UK GDPR; conduct of Data Protection Impact Assessments (DPIAs) where new processing activities or significant changes to existing processing activities present a high risk to individuals' rights and freedoms; and ongoing staff training on data protection obligations.
9.2 Cybersecurity Governance
9.2.1  The Company maintains a cybersecurity governance programme that encompasses the following elements:
9.2.2  Security Policies: the Company maintains written information security policies covering access control, data classification, acceptable use, incident response, vulnerability management, and change management.
9.2.3  Penetration Testing: the Platform and associated infrastructure are subject to periodic penetration testing by qualified third-party security professionals, conducted not less than annually or following material changes to the Platform architecture.
9.2.4  Vulnerability Management: the Company maintains a vulnerability management programme that identifies, prioritises, and remediates security vulnerabilities in accordance with a risk-based approach. Critical vulnerabilities are addressed within defined timeframes.
9.2.5  Third-Party Security: the security posture of principal third-party vendors and Data Processors is reviewed as part of the Company's vendor due diligence process.

10. INTERNAL GOVERNANCE STRUCTURE AND OVERSIGHT
10.1 Governance Architecture
10.1.1  The Company operates a governance structure appropriate for a company at its stage of development. The Company's board of directors (the "Board") retains ultimate oversight responsibility for compliance, risk management, and operational governance.
10.1.2  The Board meets at intervals of not less than quarterly to review: financial performance; compliance status, including any regulatory developments; significant operational incidents or near-misses; fraud and AML monitoring reports; data protection compliance status; and the overall adequacy of the Company's risk and governance framework.
10.2 Roles and Responsibilities

Role
Principal Responsibilities
Board of Directors
Ultimate oversight of compliance and risk; approval of material policies; governance of significant incidents.
Chief Executive Officer / Managing Director
Day-to-day operational management; accountability for regulatory compliance; implementation of Board strategy.
Compliance Officer / MLRO
Oversight of AML and financial crime controls; SAR submissions; regulatory monitoring; internal compliance reporting.
Data Protection Lead
Oversight of UK GDPR compliance; ROPA maintenance; DPIA management; data breach response coordination; ICO liaison.
Finance Officer
Internal Ledger oversight; reconciliation review; financial record-keeping; statutory accounts preparation.
Technical / Platform Lead
Platform security; vulnerability management; payment system integration oversight; incident response technical lead.

10.3 Compliance Monitoring
10.3.1  The Company conducts regular compliance monitoring activities, including: review of Terms and Conditions for ongoing compliance with applicable consumer protection law; review of the Privacy Policy for ongoing compliance with the UK GDPR; review of AML and fraud controls against evolving regulatory guidance and industry typologies; review of payment processing arrangements for ongoing compliance with card scheme rules and payment processor requirements; and review of data processing activities and Data Processor arrangements.
10.3.2  Compliance monitoring findings are documented and reported to the Board at its quarterly meetings. Material compliance issues are escalated to the Board immediately upon identification.

11. INCIDENT CLASSIFICATION AND RESPONSE FRAMEWORK
11.1 Incident Classification
11.1.1  The Company classifies operational, security, and compliance incidents into three tiers based on severity and potential impact:

Tier
Criteria
Response Time / Actions
Tier 1 — Critical
Complete Platform outage; confirmed data breach; confirmed fraud affecting multiple Members; regulatory enforcement action; payment processor suspension.
Immediate activation of incident response team; senior management notification within 1 hour; Board notification within 4 hours; external notifications as required by law (e.g. ICO within 72 hours for data breach).
Tier 2 — Significant
Partial Platform outage; suspected (unconfirmed) data breach; payment processing failure affecting multiple Members; single confirmed fraud incident.
Incident response team notified within 2 hours; senior management notification within 4 hours; investigation commenced immediately; resolution within 24 hours where possible.
Tier 3 — Standard
Individual payment exceptions; single Member account issues; minor technical errors; customer complaints with potential compliance implications.
Logged and assigned to responsible officer within 1 business day; resolution within 5 business days; reported in monthly operational review.

11.2 Incident Response Procedure
11.2.1  Upon identification of an incident of any tier, the following response procedure applies:
11.2.2  Identification and Logging: the incident is identified, logged in the Company's incident register with a timestamp, and assigned a severity tier. The identification may originate from automated monitoring systems, employee observation, Member reports, or third-party notifications.
11.2.3  Containment: immediate steps are taken to contain the incident and prevent further impact. For Tier 1 incidents, this may include taking affected Platform components offline, suspending payment processing, or revoking access credentials.
11.2.4  Assessment: the incident is assessed to determine: the nature and root cause of the incident; the scope of impact (systems, data, Members affected); the regulatory notification obligations triggered (if any); and the remediation steps required.
11.2.5  Notification: notifications are made to required parties in accordance with the timetables set out in Clause 11.1.1 and applicable legal obligations. For data breaches, the ICO notification timeframe of seventy-two (72) hours from becoming aware of the breach is strictly observed.
11.2.6  Remediation: remediation steps are implemented in accordance with the incident assessment. Technical fixes, process changes, or enhanced controls are put in place as appropriate.
11.2.7  Post-Incident Review: a post-incident review is conducted for all Tier 1 and Tier 2 incidents within fourteen (14) days of incident resolution. The review documents lessons learned and identifies any systemic weaknesses that require addressing.
11.2.8  Documentation: all incidents are fully documented in the Company's incident register, including the incident description, timeline, actions taken, notifications made, and remediation outcome. Incident records are retained for a minimum of seven (7) years.

12. EXPANSION REGULATORY REVIEW MODEL
12.1 Phase 1 — United Kingdom (Current)
12.1.1  The Service is currently available exclusively to Members resident in the United Kingdom. The Company's compliance framework is designed around UK regulatory requirements, including the UK GDPR, the Data Protection Act 2018, the Consumer Rights Act 2015, the Consumer Contracts Regulations 2013, and applicable financial services legislation.
12.2 Phase 2 — European Union Expansion
12.2.1  The Company anticipates expanding the Service to European Union member states as a second phase of commercial development. Prior to commencing operations in any EU member state, the Company will conduct or commission a comprehensive regulatory review covering:
12.2.2  Regulatory Classification: a jurisdiction-by-jurisdiction assessment of whether the Service constitutes a regulated activity in the target member state under applicable transpositions of EU financial services law, including PSD2/PSD3, the E-Money Directive, the Consumer Credit Directive, and MiFID II.
12.2.3  EU GDPR Compliance: review of the Company's data processing activities against the requirements of Regulation (EU) 2016/679 (EU GDPR), which differs from UK GDPR in certain respects following the UK's departure from the EU. Assessment of whether a representative in the EU is required under Article 27 of the EU GDPR. Assessment of whether a new legal basis for data transfers from the EU to the UK is required (UK adequacy decision currently in force but subject to periodic review).
12.2.4  Consumer Protection: assessment of applicable EU consumer protection law requirements in target member states, including the Consumer Rights Directive (2011/83/EU and its amendments), the Unfair Contract Terms Directive (93/13/EEC), and any applicable national consumer protection provisions.
12.2.5  Payment Infrastructure: assessment of whether the Company's current payment processing arrangements with Stripe and GoCardless support the target EU jurisdictions, and whether any additional payment processor relationships are required.
12.3 Phase 3 — Global Expansion
12.3.1  For any expansion beyond the UK and EU, the Company will apply its regulatory review model on a territory-by-territory basis prior to entering each new jurisdiction. The review model includes: legal and regulatory classification analysis; data protection and privacy law compliance assessment; consumer protection compliance review; anti-money laundering and financial crime compliance assessment; tax and corporate structure review; and operational and payment infrastructure assessment.
12.3.2  The Company will engage local legal counsel in each target jurisdiction as part of its expansion regulatory review process.

13. POLICY REVIEW AND UPDATE SCHEDULE
13.1  This Compliance and Risk Governance Framework is subject to periodic review to ensure that it remains current and reflective of the Company's operational environment, applicable law, and regulatory guidance. The review schedule is as follows:

Document
Review Frequency
Trigger for Ad Hoc Review
Compliance and Risk Governance Framework
Annual
Material regulatory change; significant incident; expansion into new jurisdiction; material change to business model.
Terms and Conditions of Service
Annual
Legislative or regulatory change; product change; material commercial development; legal advice.
Privacy Policy
Annual
Change to data processing activities; new processor engagement; regulatory guidance publication; ICO enforcement action relevant to Company's processing.
AML Policy and Procedures
Annual
FATF guidance update; NCA advisory; FCA publication; change to KYC procedures.
Fraud Prevention Controls
Semi-annual
New fraud typology identified; significant fraud incident; payment processor advisory.

13.2  All reviews shall be documented, including the date of review, the reviewer, and a summary of any changes made. Significant revisions shall be brought to the attention of the Board for approval.
13.3  The most current version of this Framework is maintained by the Company's Compliance Officer and is available for production to banking partners, payment processors, and institutional counterparties upon request.

——————————————————————————————————————————————
Flurzi Mobile App Limited | Company No. 16640198 | 16 Honiley Way, Coventry, CV2 1SN
Compliance and Risk Governance Framework Version 1.0 | Last Reviewed: March 4, 2026