Unicorn Currencies
...

Third-Party Risk Management Policy

Last Updated: December 1, 2025

LEGAL HUB

Unicorn Currencies Limited is a Bank of Canada–supervised Payment Service Provider and FINTRAC-registered Money Services Business (MSB: C100000159) serving importers and exporters with $1M+ annual FX volumes.

Our Approach to Third-Party Risk

Unicorn Currencies relies on a carefully selected network of partners, vendors, and service providers to deliver our services. We recognize that third-party relationships introduce risks that must be identified, assessed, and managed throughout the relationship lifecycle.

This policy establishes our framework for third-party risk management, ensuring that partners meet our standards for regulatory compliance, security, operational resilience, and ethical conduct.

Scope

This policy applies to all third-party relationships including:

  • Banking Partners: Correspondent banks, safeguarding banks, payment networks
  • Payment Service Providers: FCA-authorized EMIs and PIs for UK/EU payments
  • Technology Vendors: Cloud infrastructure, software, identity verification
  • Professional Services: Legal, audit, compliance consultants
  • Outsourcing Arrangements: Any functions performed by third parties

Due Diligence Framework

Initial Due Diligence

Before engaging any third party, we assess:

  • Regulatory Status: Licenses, registrations, regulatory history
  • Financial Stability: Financial statements, credit ratings, ownership
  • Compliance Posture: AML/CTF controls, sanctions compliance, ABC policies
  • Security Practices: Information security, certifications (SOC 2, ISO 27001)
  • Operational Resilience: Business continuity, disaster recovery
  • Reputation: Adverse media, regulatory actions, litigation

Risk Classification

Third parties are classified based on criticality and risk:

  • Critical: Banking partners, payment processors, cloud infrastructure
  • High: Identity verification, sanctions screening providers
  • Medium: Professional services, non-critical software
  • Low: Office supplies, non-sensitive services

Due diligence depth and ongoing monitoring frequency scale with risk classification.

Contractual Protections

All third-party contracts include:

  • Compliance Obligations: AML/CTF, sanctions, data protection requirements
  • Audit Rights: Right to audit or request third-party audit reports
  • Data Protection: GDPR/PIPEDA-compliant data processing agreements
  • Security Requirements: Minimum security standards, incident notification
  • Business Continuity: Recovery time objectives, disaster recovery testing
  • Termination Rights: Exit provisions, data return/destruction
  • Indemnification: Liability for breaches and non-compliance

Ongoing Monitoring

We monitor third-party relationships through:

  • Periodic Reviews: Annual for critical vendors, biennial for others
  • Performance Monitoring: SLA compliance, incident tracking
  • Adverse Media Screening: Continuous monitoring for regulatory/reputational issues
  • Reassessment Triggers: Regulatory changes, security incidents, ownership changes
  • Exit Planning: Contingency plans for critical vendor failure

Key Questions

What is Unicorn Currencies' approach to third-party risk?

We conduct due diligence on all vendors, partners, and service providers before engagement. This includes regulatory status, financial stability, security practices, business continuity, and compliance with our policies.

How are banking and payment partners selected?

Banking partners must be FCA-authorized (UK) or equivalent regulated institutions. We assess safeguarding arrangements, sanctions compliance, settlement infrastructure, and operational resilience before partnering.

What due diligence is performed on technology vendors?

Security assessments (SOC 2, ISO 27001), data processing agreements, GDPR/PIPEDA compliance, business continuity plans, and ongoing monitoring. We prioritize vendors with strong security postures.

How does Unicorn Currencies monitor ongoing third-party risk?

Periodic reviews (annual for critical vendors), performance monitoring, incident tracking, and reassessment triggers (regulatory changes, security incidents, financial deterioration).

What contractual protections exist for third-party engagements?

All contracts include compliance obligations, audit rights, data protection clauses, security requirements, termination rights, and indemnification. Critical vendors have enhanced SLAs and business continuity requirements.

Governance

The Compliance Officer is responsible for third-party risk management, with Board oversight for critical vendor relationships. Questions or concerns:

Email: compliance@unicorncurrencies.com
UK Phone: +44 (20) 8064-0818
Canada Phone: +1 (548) 488-0818

Related Policies: Safeguarding Policy · Privacy Policy · Financial Crime Prevention Framework

Related