Login

Request Access

Home

About

Pages

Open account

Login

Request Access

Home

About

Pages

Open account

Home

About

Pages

Open account

Login

Get in touch

Third-Party Risk Management Policy


Last Updated: December 1, 2025

LEGAL HUB


1. POLICY STATEMENT

1.1 Our Commitment to Risk Management

Unicorn Currencies Limited (Canada) and Unicorn Currencies Ltd (United Kingdom) (collectively "Unicorn", "we", "us", or "our") recognize that our ability to deliver reliable, secure foreign exchange and payment services depends significantly on the performance and integrity of our third-party partners.

Our Third-Party Risk Management (TPRM) Policy establishes a comprehensive framework for:

(a) Selecting banking partners, payment service providers, and other critical third parties through rigorous due diligence;

(b) Monitoring ongoing performance, financial stability, and operational resilience of partners;

(c) Managing and mitigating risks arising from third-party relationships;

(d) Maintaining contingency plans to protect client interests in the event of partner failure or service disruption;

(e) Implementing a multi-rail architecture to eliminate single points of failure.

This policy ensures that we maintain high standards across our entire service delivery ecosystem, protecting our clients' funds, data, and transaction integrity.

1.2 Scope and Application

This TPRM Policy applies to all third parties that:

(a) Provide critical services essential to our business operations, including:

  • Banking partners holding client funds or processing payments;

  • FCA-authorized Payment Service Providers facilitating UK/EU transactions;

  • Payment networks and correspondent banks (SWIFT, SEPA, wire networks);

  • Technology infrastructure providers (cloud hosting, data centers);

  • Identity verification and compliance vendors;

  • Cybersecurity and fraud prevention services;

(b) Have access to client funds, data, or confidential information;

(c) Could cause material harm to clients or Unicorn if they fail, underperform, or act inappropriately.

This policy complements our existing policies including Anti-Bribery and Corruption, Modern Slavery Statement, Data Protection, and Operational Resilience frameworks.

1.3 Regulatory Context

Our TPRM approach aligns with:

(a) FINTRAC Guidance on risk-based compliance and third-party relationships;

(b) FCA requirements for operational resilience and outsourcing (SYSC 8, SYSC 13, SYSC 15A);

(c) Bank of Canada Retail Payment Activities Act (RPAA) oversight expectations for PSPs;

(d) International standards including ISO 31000 (Risk Management) and ISO 22301 (Business Continuity).

2. THIRD-PARTY CATEGORIZATION AND RISK ASSESSMENT

2.1 Third-Party Categories

We categorize third parties based on criticality and risk profile:

2.1.1 Critical Third Parties (Tier 1)

Definition: Third parties whose failure or significant underperformance would cause immediate material harm to clients or severely disrupt our ability to deliver services.

Examples:

  • Banking Partners: Canadian chartered banks holding segregated client funds; UK/EU banks holding safeguarded funds

  • FCA-Authorized Payment Service Providers: Partners facilitating UK/EU payment execution (e.g., Equals Money, Clear Currency)

  • Core Payment Networks: SWIFT network connectivity providers

  • Primary Cloud Infrastructure: AWS, Azure, or Google Cloud hosting critical systems

  • Payment Processing Infrastructure: Core transaction execution systems

Risk Level: CRITICAL

Due Diligence: Enhanced (most rigorous)

Monitoring Frequency: Continuous (real-time for operational metrics) and Quarterly (comprehensive reviews)

2.1.2 Important Third Parties (Tier 2)

Definition: Third parties that provide important services where disruption would cause moderate harm or require workarounds, but alternatives exist.

Examples:

  • Secondary Banking Partners: Backup banks for redundancy

  • Correspondent Banks: SWIFT member banks in payment routing chains

  • Identity Verification Vendors: Onfido, Jumio, Trulioo, GB Group

  • Compliance Screening Providers: Dow Jones, ComplyAdvantage, World-Check

  • Cybersecurity Vendors: Cloudflare, security monitoring tools

  • Customer Relationship Management (CRM) Systems: Salesforce, Zoho

Risk Level: ELEVATED

Due Diligence: Standard-Enhanced

Monitoring Frequency: Semi-Annual (comprehensive reviews) with continuous performance monitoring

2.1.3 Standard Third Parties (Tier 3)

Definition: Third parties providing non-critical services where disruption would have minimal client impact and alternatives are readily available.

Examples:

  • Office Supplies and Equipment Vendors

  • Marketing and Advertising Services

  • General Professional Services (legal, accounting, consulting for non-critical matters)

  • Non-Critical Software Tools

Risk Level: STANDARD

Due Diligence: Standard

Monitoring Frequency: Annual reviews

2.2 Risk Assessment Framework

For each third party, we assess risk across multiple dimensions:

(a) Operational Risk: Could failure or underperformance disrupt client services?

(b) Financial Risk: Is the third party financially stable? Could insolvency harm clients?

(c) Credit Risk: For banking partners, what is their credit rating and capital adequacy?

(d) Regulatory Risk: Does the third party comply with applicable regulations? Could their non-compliance affect us?

(e) Cybersecurity Risk: How secure are their systems? Could they be a vector for cyberattacks or data breaches?

(f) Data Protection Risk: Do they handle client data appropriately in compliance with GDPR/PIPEDA?

(g) Concentration Risk: Are we overly dependent on a single provider, creating a single point of failure?

(h) Geographic/Political Risk: Where are they located? Are they exposed to political instability, sanctions, or adverse regulatory changes?

(i) Reputational Risk: Could their misconduct or negative publicity damage our reputation?

(j) Compliance Risk: Do they meet our standards for AML, anti-bribery, modern slavery, and ethical conduct?

3. SELECTION AND DUE DILIGENCE

3.1 Banking Partner Selection

Our banking partners are selected through a rigorous, multi-stage due diligence process:

3.1.1 Initial Screening Criteria

Banking partners must meet minimum threshold criteria:

(a) Regulatory Authorization: Hold appropriate banking licenses (chartered bank status in Canada; FCA authorization or equivalent in UK/EU);

(b) Credit Rating: Minimum investment-grade credit rating (BBB- or equivalent) from recognized rating agencies (Moody's, S&P, Fitch);

(c) Capital Adequacy: Strong capital ratios exceeding regulatory minimums (Tier 1 Capital Ratio >10%);

(d) Financial Stability: Demonstrated financial stability with consistent profitability and low non-performing loan ratios;

(e) Reputation: Positive industry reputation with no recent major regulatory sanctions or enforcement actions;

(f) Operational Capability: Proven ability to provide required services (segregated accounts, SWIFT connectivity, safeguarding, API integrations);

(g) Geographic Presence: Physical presence and operational infrastructure in relevant jurisdictions.

3.1.2 Enhanced Due Diligence Process

For banking partners meeting initial criteria, we conduct enhanced due diligence:

Financial Analysis:

  • Review of audited financial statements (balance sheet, income statement, cash flow)

  • Analysis of capital adequacy ratios (CET1, Tier 1, Total Capital)

  • Assessment of liquidity ratios (Liquidity Coverage Ratio, Net Stable Funding Ratio)

  • Credit rating reports and rating agency commentary

  • Market indicators (CDS spreads, stock performance for publicly traded banks)

  • Stress test results (regulatory stress tests, internal assessments)

Regulatory and Compliance Review:

  • Verification of regulatory authorizations and licenses

  • Review of regulatory examination reports (where publicly available)

  • Assessment of compliance history (enforcement actions, fines, consent orders)

  • Anti-money laundering (AML) and sanctions compliance programs

  • Data protection and cybersecurity frameworks

  • Modern slavery statements and corporate social responsibility practices

Operational Assessment:

  • Technology infrastructure and system reliability (uptime metrics, disaster recovery)

  • Payment processing capabilities (speed, accuracy, capacity)

  • API and integration capabilities for seamless connectivity

  • Customer service quality and responsiveness

  • Business continuity and disaster recovery plans

  • Cybersecurity controls and incident history

Legal and Contractual Review:

  • Review of proposed banking agreements and service terms

  • Safeguarding or segregation arrangements for client funds

  • Liability, indemnification, and insurance provisions

  • Service level agreements (SLAs) and performance metrics

  • Termination provisions and transition assistance

  • Data protection and confidentiality clauses

References and Market Intelligence:

  • References from existing clients or industry peers

  • Market reputation research (industry publications, analyst reports)

  • Feedback from banking networks and trade associations

3.1.3 Approval Process

(a) Risk Committee Review: All Tier 1 banking partners are reviewed by a Risk Committee comprising the COO, Head of Compliance, CFO, and external advisors (where appropriate);

(b) Board Approval: Material banking relationships (e.g., primary safeguarding banks, core payment partners) require Board of Directors approval;

(c) Legal Review: All banking agreements reviewed and approved by legal counsel;

(d) Documentation: Complete due diligence file maintained including financial analysis, regulatory review, operational assessment, references, approval memos, and signed contracts.

3.2 FCA-Authorized Payment Service Provider Selection

For UK/EU operations, we partner with FCA-authorized Payment Institutions and Electronic Money Institutions. Selection criteria include:

(a) FCA Authorization: Current, valid FCA authorization as a Payment Institution (PI) or Electronic Money Institution (EMI) with permissions covering required activities;

(b) Safeguarding Compliance: Robust safeguarding arrangements compliant with Payment Services Regulations 2017 and Electronic Money Regulations 2011;

(c) Capital Requirements: Compliance with FCA capital requirements and adequate financial resources;

(d) Regulatory Standing: Clean regulatory record with no recent enforcement actions or material breaches;

(e) Operational Track Record: Proven experience facilitating B2B foreign exchange and payment services;

(f) Technology Platform: Reliable, secure technology with API connectivity for seamless integration;

(g) Customer Service: High-quality support and service delivery to end clients.

Due diligence process mirrors banking partner due diligence (Section 3.1.2) with additional focus on:

  • FCA regulatory permissions and conditions

  • Safeguarding bank arrangements and audit reports

  • Program Manager relationship models

  • White-label or partnership capabilities

3.3 Technology and Service Provider Selection

For technology vendors and other service providers (Tier 2 and Tier 3), we conduct proportionate due diligence:

(a) Vendor Screening: Identity verification, financial stability check, reputation research, sanctions/PEP screening;

(b) Security Assessment: Cybersecurity controls (SOC 2, ISO 27001 certifications), data encryption practices, incident response capabilities;

(c) Data Protection: GDPR/PIPEDA compliance, Data Processing Agreements (DPAs), data residency and transfer mechanisms;

(d) Service Level Agreements (SLAs): Uptime guarantees, support response times, performance metrics;

(e) Business Continuity: Disaster recovery plans, backup and redundancy arrangements;

(f) Contractual Protections: Liability caps, indemnification, insurance, termination rights, data return provisions;

(g) References: Client references and case studies demonstrating successful service delivery.

3.4 Contractual Requirements

All third-party contracts include:

(a) Service Definitions: Clear description of services, deliverables, and performance standards;

(b) Service Level Agreements (SLAs): Uptime guarantees, response times, performance metrics, and remedies for SLA breaches;

(c) Data Protection: Compliance with GDPR/PIPEDA, Data Processing Agreements, confidentiality obligations;

(d) Security Requirements: Cybersecurity controls, incident notification, penetration testing, audit rights;

(e) Regulatory Compliance: Obligations to comply with applicable laws, regulations, and Unicorn policies (AML, ABC, Modern Slavery);

(f) Audit Rights: Right to audit the third party's controls, systems, and compliance;

(g) Business Continuity: Requirements for disaster recovery, business continuity plans, and testing;

(h) Liability and Indemnification: Clear allocation of liability, indemnification for losses, insurance requirements;

(i) Termination Rights: Right to terminate for cause (breach, insolvency, regulatory issues) with reasonable notice periods;

(j) Transition Assistance: Obligations to assist with smooth transition to alternative providers upon termination.

4. ONGOING MONITORING AND OVERSIGHT

4.1 Continuous Monitoring of Banking Partners

We continuously monitor our banking partners to detect early warning signs of financial or operational distress:

4.1.1 Financial Health Monitoring

(a) Credit Rating Surveillance: Real-time alerts for credit rating changes (upgrades, downgrades, outlook changes);

(b) Market Indicators:

  • Credit Default Swap (CDS) spreads (widening spreads indicate increased default risk)

  • Stock price performance (for publicly traded banks)

  • Bond yields and spreads

(c) Quarterly Financial Statement Review:

  • Capital ratios (CET1, Tier 1, Total Capital)

  • Liquidity ratios (LCR, NSFR)

  • Asset quality (non-performing loans, loan loss provisions)

  • Profitability (ROE, ROA, net interest margin)

  • Trends and variance analysis

(d) Regulatory Filings and Disclosures: Review of regulatory reports, stress test results, and public disclosures;

(e) News and Media Monitoring: Daily monitoring of financial news, regulatory announcements, and adverse media alerts.

Red Flags:

  • Credit rating downgrade (especially below investment grade)

  • CDS spreads widening significantly

  • Deteriorating capital ratios approaching regulatory minimums

  • Increasing non-performing loans or loan loss provisions

  • Negative profitability or significant losses

  • Regulatory enforcement actions or sanctions

  • Management changes or strategic uncertainty

4.1.2 Operational Performance Monitoring

(a) Uptime and Availability: Real-time monitoring of banking systems and payment processing (target: 99.9% uptime);

(b) Transaction Performance:

  • Payment processing times (time from instruction to beneficiary credit)

  • Error rates and failed transactions

  • SLA compliance (e.g., same-day processing targets)

(c) Customer Service Quality:

  • Response times to inquiries and issues

  • Resolution rates and escalation frequency

  • Client satisfaction feedback

(d) System Incidents: Tracking of system outages, cyber incidents, or operational disruptions;

(e) API Performance: For partners with API integrations, monitoring of API uptime, latency, and error rates.

Performance Reviews:

  • Monthly: Operational dashboards and KPI tracking

  • Quarterly: Comprehensive performance reviews with banking partners, addressing SLA compliance, incidents, and improvement opportunities

  • Annual: Strategic review of partnership value, competitive positioning, and continuation

4.1.3 Compliance and Risk Monitoring

(a) Regulatory Changes: Monitoring regulatory developments affecting banking partners (new rules, enforcement trends);

(b) Compliance Incidents: Tracking AML fines, sanctions violations, data breaches, or other compliance failures;

(c) Audit Reports: Requesting and reviewing SOC 2, ISAE 3402, or similar third-party audit reports;

(d) Safeguarding Audits (for UK partners): Annual review of independent safeguarding audit reports to confirm client funds are properly protected;

(e) Risk Assessments: Periodic re-assessment of third-party risk profile based on changes in their business, market conditions, or our usage.

4.2 Technology and Service Provider Monitoring

For Tier 2 and Tier 3 providers:

(a) SLA Monitoring: Automated tracking of uptime, performance metrics, and SLA compliance;

(b) Security Reviews: Annual review of security certifications (SOC 2, ISO 27001), penetration test results, and incident history;

(c) Vendor Performance Scorecards: Quarterly scorecards rating vendors on quality, responsiveness, value, and compliance;

(d) Contract Compliance: Periodic audits to ensure vendors are meeting contractual obligations;

(e) Business Reviews: Annual business reviews with key vendors to discuss performance, roadmap, and strategic fit.

4.3 Early Warning System

We maintain an Early Warning System that triggers escalation when risk thresholds are breached:

Trigger Events:

  • Credit rating downgrade below BBB-

  • CDS spreads exceeding 200 basis points

  • Capital ratios falling below 10% (Tier 1)

  • Major operational incidents (>4 hours downtime)

  • Regulatory enforcement actions

  • Material adverse news (fraud, insolvency rumors, cyberattack)

Escalation Procedure:

  1. Immediate Alert: Risk Officer notified within 24 hours

  2. Assessment: Risk Committee convenes within 48 hours to assess impact

  3. Action Plan: Determine response (increase monitoring, engage partner, activate contingency, terminate relationship)

  4. Board Notification: Material risks escalated to Board within 5 business days

5. CONTINGENCY PLANNING AND BUSINESS CONTINUITY

5.1 Contingency Planning Philosophy

We recognize that even well-managed third parties can experience disruption or failure. Our contingency planning ensures continuity of service and protection of client interests under adverse scenarios.

5.2 Scenario Planning

We develop contingency plans for multiple scenarios:

5.2.1 Banking Partner Failure or Insolvency

Scenario: A banking partner holding client funds becomes insolvent or fails.

Client Fund Protection:

(Canada):

  • Client funds held in segregated trust accounts are protected and not available to satisfy the bank's creditors

  • Funds are priority assets returned to clients under Canadian trust law

  • Canada Deposit Insurance Corporation (CDIC) does NOT cover MSB client funds, but segregation provides strong legal protection

(UK/EU):

  • Client funds safeguarded by FCA-authorized partners are protected under Payment Services Regulations 2017 / Electronic Money Regulations 2011

  • Safeguarded funds are segregated and not available to creditors of the failed institution

  • Financial Services Compensation Scheme (FSCS) does NOT cover e-money or payment service balances, but safeguarding regulations provide statutory protection

Contingency Actions:

  1. Immediate Assessment: Determine extent of client fund exposure and segregation/safeguarding status

  2. Regulatory Engagement: Liaise with FINTRAC, FCA, insolvency practitioners, and regulators overseeing the failed institution

  3. Client Communication: Proactively communicate with affected clients, explaining protections, expected timelines, and our actions

  4. Fund Recovery: Work with trustees, administrators, or regulators to expedite return of client funds

  5. Alternative Banking: Activate backup banking arrangements to restore service continuity

  6. Claims Process: Assist clients with claims processes if necessary

Mitigation: Diversification across multiple banking partners to limit exposure (see Section 5.4)

5.2.2 Payment Network Disruption (SWIFT Outage)

Scenario: SWIFT network experiences extended outage or disruption.

Contingency Actions:

  1. Alternative Payment Rails: Utilize alternative payment networks (SEPA for Eurozone, Faster Payments for UK, domestic ACH/wire systems)

  2. Correspondent Bank Direct Messaging: Engage correspondent banks directly via alternative secure messaging (TELEX, proprietary systems)

  3. Manual Processing: Temporary manual payment processing with enhanced security controls

  4. Client Communication: Inform clients of delays and alternative options (e.g., domestic transfers where feasible)

  5. Priority Queue: Prioritize time-sensitive and high-value transactions

Mitigation: Multi-rail architecture supporting multiple payment networks (see Section 5.4)

5.2.3 FCA-Authorized Partner Suspension or Failure

Scenario: An FCA-authorized Payment Service Provider partner loses authorization, becomes insolvent, or experiences operational failure.

Contingency Actions:

  1. Immediate Partner Switch: Transition affected transactions to backup FCA-authorized partner(s) with equivalent capabilities

  2. Client Fund Protection: Verify that safeguarded client funds are secure and initiate recovery if necessary

  3. Regulatory Coordination: Coordinate with FCA and replacement partner to ensure smooth transition

  4. Client Notification: Inform UK/EU clients of partner change, any temporary service impacts, and new safeguarding arrangements

  5. Transaction Continuity: Ensure no interruption to in-flight transactions; complete pending settlements

Mitigation: Maintain relationships with multiple FCA-authorized partners for redundancy (see Section 5.4)

5.2.4 Technology Infrastructure Failure (Cloud Outage)

Scenario: Primary cloud infrastructure provider (AWS, Azure) experiences extended regional outage.

Contingency Actions:

  1. Failover to Secondary Region: Activate disaster recovery infrastructure in alternative cloud region or availability zone

  2. Multi-Cloud Redundancy: If multi-cloud architecture is in place, failover to alternative cloud provider (AWS to Azure or vice versa)

  3. Critical Function Prioritization: Restore most critical functions first (transaction execution, client fund access, customer service)

  4. Communication: Provide real-time status updates to clients via website, email, and social media

  5. Manual Workarounds: Implement temporary manual processes for urgent client needs while systems restore

Mitigation: Multi-region cloud deployment with automated failover; regular disaster recovery testing (see Section 5.5)

5.2.5 Cyberattack or Data Breach

Scenario: Third-party vendor experiences cyberattack or data breach affecting Unicorn or client data.

Contingency Actions:

  1. Incident Response Activation: Engage Incident Response Team and cybersecurity specialists

  2. Threat Containment: Work with affected vendor to contain breach, isolate compromised systems, and prevent further data exfiltration

  3. Impact Assessment: Determine what data was accessed or compromised (client PII, financial data, credentials)

  4. Regulatory Notification: Notify ICO (UK), Privacy Commissioner (Canada), and relevant regulators within required timeframes (72 hours under GDPR)

  5. Client Notification: Notify affected clients, explain risks, and provide mitigation guidance (password resets, fraud monitoring)

  6. Remediation: Implement enhanced security controls, credential rotation, and ongoing monitoring

  7. Vendor Accountability: Assess vendor's breach response, invoke contractual remedies (liability, indemnification), and consider termination if negligence is found

Mitigation: Rigorous vendor security assessments (SOC 2, penetration testing); contractual security requirements; cyber insurance coverage

5.3 Business Continuity Plans (BCPs)

For each critical third party, we maintain a documented Business Continuity Plan that includes:

(a) Risk Assessment: Scenarios that could disrupt the third party's services and impact on Unicorn;

(b) Response Procedures: Step-by-step actions to take when disruption occurs (escalation, communication, workarounds);

(c) Alternative Providers: Identification of backup providers or alternative service delivery methods;

(d) Recovery Time Objectives (RTOs): Target timeframes for restoring services (e.g., <4 hours for critical payment processing);

(e) Communication Plans: Templates for internal and external communications during disruptions;

(f) Contact Lists: Up-to-date contact information for third-party escalation points, regulators, and internal stakeholders;

(g) Testing Schedule: Regular testing of contingency plans (see Section 5.5).

5.4 Multi-Rail Architecture: Eliminating Single Points of Failure

Unicorn Currencies employs a multi-rail architecture across our entire service delivery ecosystem to eliminate single points of failure and ensure continuous service availability.

5.4.1 Banking and Payment Processing Redundancy

(Canada):

  • Multiple Banking Partners: We maintain segregated client fund accounts at multiple Tier-1 Canadian chartered banks, distributing client funds to limit exposure to any single institution

  • Diversified Payment Rails: Support for multiple domestic payment systems (wire transfers, EFT, Interac) ensuring continuity if one rail experiences disruption

(UK/EU):

  • Multiple FCA-Authorized Partners: We contract with multiple FCA-authorized Payment Service Providers, enabling rapid switching if one partner experiences issues

  • Diversified Safeguarding Banks: Our FCA-authorized partners use different safeguarding banks, further reducing concentration risk

  • Multiple Payment Networks: Support for SWIFT, SEPA, Faster Payments (UK), and CHAPS, providing multiple pathways for payment execution

(Global):

  • Correspondent Banking Network: Relationships with multiple correspondent banks in key jurisdictions, providing alternative routing if primary correspondents are unavailable

  • Direct Bank Relationships: Where possible, direct relationships with major global banks (HSBC, Citi, JP Morgan) rather than sole reliance on intermediaries

5.4.2 Technology Infrastructure Redundancy

(Cloud Infrastructure):

  • Multi-Region Deployment: Core systems deployed across multiple geographic regions (e.g., AWS US-East, AWS EU-West) with automated failover

  • Multi-Cloud Strategy (Roadmap): Long-term roadmap includes multi-cloud deployment across AWS and Azure to eliminate dependency on single cloud provider

  • Geographic Distribution: Data centers in different seismic zones, political jurisdictions, and network backbones

(Critical Systems):

  • Database Replication: Real-time database replication across multiple regions with automatic failover

  • Load Balancing: Distributed load balancing preventing single server failures from affecting service

  • Redundant Network Connectivity: Multiple internet service providers (ISPs) and network paths

(Identity Verification and Compliance):

  • Multiple KYC Providers: Contracts with multiple identity verification vendors (Onfido, Jumio, Trulioo) enabling rapid switching if one provider experiences downtime or data quality issues

  • Multiple Sanctions Screening Providers: Redundant sanctions and PEP screening through multiple databases (Dow Jones, ComplyAdvantage, World-Check) ensuring continuous compliance even if one provider is unavailable

5.4.3 Benefits of Multi-Rail Architecture

(a) Service Continuity: Disruption at one partner has minimal client impact; we seamlessly shift volume to alternative providers;

(b) Competitive Pricing: Multiple providers create competitive tension, driving better rates and service quality;

(c) Flexibility: Ability to optimize routing based on speed, cost, or other factors for each transaction;

(d) Risk Distribution: No single provider controls critical client assets or processes, reducing concentration risk;

(e) Regulatory Resilience: If one partner loses authorization or regulatory approval, we continue operations through alternative partners.

5.5 Contingency Plan Testing

Annual Testing Requirements:

(a) Tabletop Exercises: Annual simulation of major disruption scenarios (banking partner failure, SWIFT outage, cyberattack) with key stakeholders walking through response procedures;

(b) Failover Testing: Quarterly testing of technical failover procedures (cloud region failover, database replication, backup system activation);

(c) Partner Switching Drills: Semi-annual testing of switching transaction volume from primary to backup partners to validate redundancy;

(d) Communication Testing: Testing of crisis communication procedures (internal notification trees, client communication templates, regulatory reporting);

(e) Lessons Learned: Post-test reviews to identify gaps, update procedures, and improve preparedness.

Test Results Documentation:

  • Test outcomes, issues identified, and corrective actions documented

  • BCPs updated based on test learnings

  • Results reported to Board annually

6. GOVERNANCE AND OVERSIGHT

6.1 Roles and Responsibilities

6.1.1 Board of Directors

(a) Approves Third-Party Risk Management Policy and material amendments;

(b) Reviews semi-annual reports on third-party risks, key partners, and significant changes;

(c) Approves entry into relationships with critical banking and payment partners (Tier 1);

(d) Oversees adequacy of contingency planning and business continuity preparedness;

(e) Ensures adequate resources and expertise for third-party risk management.

6.1.2 Chief Operating Officer (COO)

(a) Ultimate accountability for third-party risk management program;

(b) Chairs Risk Committee overseeing third-party relationships;

(c) Approves onboarding of Tier 1 and Tier 2 partners (Tier 1 subject to Board ratification);

(d) Escalates material third-party risks to the Board;

(e) Ensures cross-functional coordination on third-party management.

6.1.3 Chief Risk Officer / Head of Compliance

(a) Owns and maintains TPRM Policy;

(b) Conducts due diligence on prospective third parties;

(c) Coordinates ongoing monitoring and oversight of third-party relationships;

(d) Maintains third-party risk register and early warning system;

(e) Develops and maintains business continuity plans for critical third parties;

(f) Produces management information and reports on third-party risks;

(g) Coordinates contingency plan testing and exercises.

6.1.4 Chief Financial Officer (CFO)

(a) Manages banking relationships and monitors financial health of banking partners;

(b) Ensures adequate liquidity and fund distribution across banking partners;

(c) Oversees financial controls related to third-party payments and invoicing;

(d) Participates in Risk Committee reviews of banking and financial service providers.

6.1.5 Chief Technology Officer (CTO)

(a) Manages technology vendor relationships;

(b) Ensures technology architecture supports multi-rail redundancy;

(c) Oversees cybersecurity assessments of technology vendors;

(d) Maintains disaster recovery and technical failover capabilities;

(e) Conducts technical due diligence on infrastructure and software providers.

6.1.6 Procurement and Legal Teams

(a) Negotiate contracts with appropriate risk allocation, SLAs, and protections;

(b) Ensure contractual compliance with TPRM Policy requirements;

(c) Manage contract renewals, amendments, and terminations;

(d) Advise on legal and regulatory implications of third-party relationships.

6.2 Risk Committee

A Third-Party Risk Committee meets quarterly (minimum) to:

(a) Review third-party risk metrics, incidents, and trends;

(b) Assess and approve onboarding of critical and important third parties;

(c) Review ongoing performance and financial health of key partners;

(d) Evaluate emerging third-party risks and mitigation strategies;

(e) Oversee contingency planning and business continuity preparedness;

(f) Recommend policy updates or strategic changes to senior management.

Committee Composition: COO (Chair), Head of Compliance/CRO, CFO, CTO, Head of Operations, Legal Counsel

6.3 Reporting

6.3.1 Management Reporting

(a) Monthly: Third-party risk dashboard (key metrics, incidents, SLA compliance);

(b) Quarterly: Comprehensive reports to Risk Committee and Senior Management covering:

  • New third-party onboarding and terminations

  • Ongoing monitoring results and risk assessments

  • Performance issues and remediation

  • Contingency plan updates and testing results

  • Emerging risks and mitigation strategies

6.3.2 Board Reporting

(a) Semi-Annual: Board reports covering:

  • Portfolio of critical and important third parties

  • Financial health and operational performance of key banking partners

  • Material incidents, service disruptions, or partner failures

  • Contingency plan effectiveness and testing outcomes

  • Strategic third-party risk issues and Board decisions required

  • Regulatory developments affecting third-party management

6.3.3 Regulatory Reporting

(a) As required by FINTRAC, FCA (through authorized partners), or Bank of Canada, reporting on:

  • Material operational incidents involving third parties

  • Changes to critical third-party relationships

  • Outsourcing arrangements and operational resilience

7. CONTINUOUS IMPROVEMENT

7.1 Annual Policy Review

This TPRM Policy is reviewed annually considering:

(a) Changes in regulatory requirements or guidance;

(b) Lessons learned from third-party incidents, testing, or actual disruptions;

(c) Evolution of our business model, service offerings, or client base;

(d) Emerging third-party risks (e.g., new technology dependencies, geopolitical risks);

(e) Industry best practices and peer benchmarking.

7.2 Industry Engagement

We engage with industry bodies, regulators, and peers to stay informed on third-party risk management best practices:

(a) Participation in industry working groups and roundtables on operational resilience;

(b) Review of regulatory guidance (FCA, Bank of Canada, FINTRAC) and thematic reviews;

(c) Benchmarking against peer fintech and financial services firms;

(d) Engagement with cloud providers, banking associations, and payment networks on resilience initiatives.

7.3 Technology and Innovation

We continuously explore technology solutions to enhance third-party risk management:

(a) Third-Party Risk Management (TPRM) Software: Platforms for centralized vendor management, due diligence workflows, and monitoring;

(b) Automated Monitoring Tools: Real-time dashboards for banking partner financial health, credit ratings, and operational performance;

(c) Artificial Intelligence (AI): AI-powered risk scoring and early warning systems analyzing news, financial data, and risk indicators;

(d) Blockchain and Distributed Ledger Technology (DLT): Exploration of DLT-based payment rails and settlement systems to further diversify infrastructure.

8. RELATED POLICIES AND RESOURCES

8.1 Internal Policies

This TPRM Policy should be read in conjunction with:

(a) Operational Resilience Policy (internal)

(b) Business Continuity and Disaster Recovery Plan (internal)

(c) Cybersecurity Policy (internal)

(d) Data Protection and Privacy Policy: www.unicorncurrencies.com/privacy

(e) Anti-Bribery and Corruption Policy: www.unicorncurrencies.com/abc-policy

(f) Modern Slavery Statement: www.unicorncurrencies.com/modern-slavery-statement

(g) Safeguarding Policy: www.unicorncurrencies.com/safeguarding

8.2 External Resources

(a) FCA Guidance on Operational Resilience: https://www.fca.org.uk/publications/policy-statements/ps21-3-building-operational-resilience

(b) FCA Guidance on Outsourcing (SYSC 8): https://www.handbook.fca.org.uk/handbook/SYSC/8/

(c) Bank of Canada - Retail Payment Activities Act (RPAA): https://www.bankofcanada.ca/core-functions/retail-payments-supervision/

(d) ISO 22301 - Business Continuity Management: https://www.iso.org/standard/75106.html

(e) SWIFT Customer Security Programme (CSP): https://www.swift.com/myswift/customer-security-programme-csp

9. CONTACT INFORMATION

For questions about this Third-Party Risk Management Policy or to report third-party risks:

Chief Risk Officer / Head of Compliance

Email: compliance@unicorncurrencies.com

UK Phone: +44 (20) 8064-0818

Canada Phone: +1 (548) 488-0818

Address (UK):
Risk Management
Unicorn Currencies Ltd
4th Floor, Silverstream House, Fitzroy Street
London, W1T 6EB
United Kingdom

Address (Canada):
Risk Management
Unicorn Currencies Limited
5577 153A Street, Suite 207
Surrey, V3S 5K7, British Columbia
Canada

10. POLICY APPROVAL

This Third-Party Risk Management Policy has been approved by the Board of Directors of Unicorn Currencies Limited (Canada) and Unicorn Currencies Ltd (United Kingdom).

Approved by:

Signed:

Nazia M Thakur
Founder & CEO
Unicorn Currencies

Date: December 1, 2025

Next Review Date: December 2026

Our multi-rail architecture and rigorous third-party risk management framework ensure that your transactions are executed reliably, your funds are protected, and our services remain resilient even in the face of partner disruptions or market stress.

© 2025 Unicorn Currencies. All rights reserved.