Back to Home

Compliance

Our commitment to regulatory compliance and security standards

Last updated: December 5, 2024

Our Commitment to Compliance

Sunny Payments Limited is committed to maintaining the highest standards of regulatory compliance and security. As a licensed Payment Service Provider, we adhere to all applicable laws, regulations, and industry standards to protect our customers, merchants, and partners.

Our compliance program is designed to ensure the integrity of our payment systems, protect against financial crimes, and safeguard sensitive data. We continuously invest in compliance infrastructure and work closely with regulators to maintain trust in our platform.

Certifications & Licenses

CBK Licensed PSP

Licensed by the Central Bank of Kenya under the National Payment System Act, 2011 and National Payment System Regulations, 2014.

Active License

PCI DSS Level 1

Certified compliant with Payment Card Industry Data Security Standard (PCI DSS) Version 4.0 - the highest level of certification.

Certified

ISO 27001:2022

Certified for Information Security Management System (ISMS) demonstrating our commitment to protecting information assets.

Certified

SOC 2 Type II

Audited for Security, Availability, and Confidentiality principles under AICPA SOC 2 framework.

Certified

Regulatory Compliance

Kenya Regulatory Framework

Central Bank of Kenya (CBK) Regulations

  • National Payment System Act, 2011
  • National Payment System Regulations, 2014
  • CBK Guidelines on Cybersecurity for Payment Service Providers
  • CBK Prudential Guidelines

Data Protection

  • Kenya Data Protection Act, 2019
  • Registration with Office of the Data Protection Commissioner (ODPC)
  • Data Protection Impact Assessments (DPIA)

Anti-Money Laundering (AML)

  • Proceeds of Crime and Anti-Money Laundering Act (POCAMLA)
  • Prevention of Terrorism Act
  • Financial Reporting Centre (FRC) reporting obligations

Consumer Protection

  • Consumer Protection Act, 2012
  • Competition Act, 2010
  • CBK Consumer Protection Guidelines

International Standards

GDPR

EU General Data Protection Regulation compliance for European customers

PCI DSS v4.0

Payment Card Industry Data Security Standard for card data protection

FATF Recommendations

Financial Action Task Force AML/CFT guidelines

ISO 22301

Business Continuity Management System standards

Anti-Money Laundering (AML) Program

Our comprehensive AML program is designed to detect, prevent, and report money laundering and terrorist financing activities:

1

Know Your Customer (KYC)

Robust identity verification including document verification, biometric checks, and ongoing customer due diligence.

2

Transaction Monitoring

Real-time monitoring systems to detect suspicious transaction patterns and unusual activity across all payment channels.

3

Sanctions Screening

Automated screening against global sanctions lists including UN, OFAC, EU, and Kenya-specific sanctions.

4

Suspicious Activity Reporting

Timely filing of Suspicious Transaction Reports (STRs) to the Financial Reporting Centre (FRC) as required by law.

Data Security Measures

Encryption

AES-256 encryption for data at rest, TLS 1.3 for data in transit

Tokenization

Card numbers replaced with secure tokens to minimize data exposure

Key Management

Hardware Security Modules (HSM) for cryptographic key protection

Access Controls

Role-based access with multi-factor authentication

Network Security

Web Application Firewall (WAF), DDoS protection, intrusion detection

Audit Logging

Comprehensive logging of all access and transactions

Incident Response

We maintain a comprehensive incident response plan to handle security incidents and data breaches:

  • 24/7 Security Operations Center (SOC) monitoring
  • Defined incident classification and escalation procedures
  • Regular incident response drills and tabletop exercises
  • Notification to regulators and affected parties within required timeframes
  • Post-incident review and remediation procedures

Third-Party Risk Management

We maintain strict oversight of third-party vendors and service providers:

  • Due diligence assessment before vendor onboarding
  • Contractual requirements for security and compliance
  • Annual vendor security assessments and audits
  • Ongoing monitoring of vendor security posture

Report Compliance Concerns

If you suspect any violation of our compliance policies or applicable laws, please report it through our confidential reporting channel:

  • Email: compliance@sunnypay.com
  • Hotline: +254 700 000 001

All reports are handled confidentially. We prohibit retaliation against anyone who reports concerns in good faith.

Compliance Team Contact

For compliance-related inquiries or to request compliance documentation:

Chief Compliance Officer: Sunny Payments Limited

Email: compliance@sunnypay.com

Address: Westlands, Nairobi, Kenya

Privacy PolicyTerms of ServiceCookie Policy