Compliance & Regulations

1. Regulatory Framework

Pledgr operates within the regulatory framework established by the Republic of Kenya and adheres to relevant international standards. Our operations are guided by the following regulatory bodies and legislation:

• Capital Markets Authority (CMA) of Kenya - We monitor and comply with guidelines issued by the CMA relating to crowdfunding and capital raising activities in Kenya.
• Central Bank of Kenya (CBK) - We adhere to CBK guidelines governing payment services, mobile money transactions, and foreign exchange regulations.
• Kenya Data Protection Act, 2019 - We comply with the provisions of the DPA and the regulations set forth by the Office of the Data Protection Commissioner (ODPC).
• Proceeds of Crime and Anti-Money Laundering Act (POCAMLA), 2009 - We maintain a comprehensive AML programme in accordance with this Act and its amendments.
• Communications Authority of Kenya (CA) - We comply with regulations governing electronic communications and digital services.

We actively engage with regulators and industry bodies to stay abreast of evolving requirements and contribute to the development of a safe and transparent crowdfunding ecosystem in Kenya and beyond.

2. Anti-Money Laundering (AML)

Pledgr maintains a robust Anti-Money Laundering programme designed to detect, prevent, and report money laundering and terrorist financing activities. Our AML programme includes:

2.1 Risk Assessment

We conduct ongoing risk assessments to identify and evaluate money laundering and terrorist financing risks associated with our platform, users, transactions, and geographic reach. Our risk assessment methodology is reviewed and updated annually.

2.2 Transaction Monitoring

We employ automated transaction monitoring systems that flag suspicious patterns and unusual activity for review by our compliance team. Monitored indicators include unusually large transactions, rapid movement of funds, transactions involving high-risk jurisdictions, and patterns consistent with structuring or layering.

2.3 Sanctions Screening

All users are screened against international sanctions lists, including those maintained by the United Nations, the United States Office of Foreign Assets Control (OFAC), the European Union, and the United Kingdom. Screening is conducted at the time of registration and on an ongoing basis.

2.4 Suspicious Activity Reporting

Where we identify suspicious activity, we file Suspicious Transaction Reports (STRs) with the Financial Reporting Centre (FRC) of Kenya in accordance with our legal obligations under POCAMLA. We do not inform the affected user when a report is filed, as required by law.

3. Know Your Customer (KYC)

Pledgr implements a tiered KYC programme to verify the identity of our users while balancing user experience with regulatory requirements:

3.1 Basic Verification (All Users)

• Email address verification.
• Phone number verification via SMS OTP.
• Basic personal information (name, date of birth, country of residence).

3.2 Enhanced Verification (Drive Creators & High-Value Transactions)

• Government-issued photo identification (national ID, passport, or driving licence).
• Proof of address (utility bill, bank statement, or official correspondence dated within the last 3 months).
• Selfie verification with liveness detection to confirm identity.
• For organisations: Certificate of incorporation, KRA PIN certificate, and details of directors and beneficial owners.

3.3 Ongoing Due Diligence

We conduct periodic reviews of user accounts based on risk profiles and may request updated documentation. Enhanced due diligence is applied to politically exposed persons (PEPs), users from high-risk jurisdictions, and accounts exhibiting unusual activity patterns.

4. Payment Compliance (PCI DSS)

Pledgr is committed to the security of payment card data and adheres to the Payment Card Industry Data Security Standard (PCI DSS). Our payment compliance measures include:

• All card payments are processed through PCI DSS Level 1 certified payment processors. Pledgr does not store, process, or transmit full cardholder data on its own servers.
• Card data entry is handled exclusively through tokenised, PCI-compliant payment forms provided by our processors.
• All payment data is transmitted over encrypted connections using TLS 1.3.
• Regular vulnerability scans and penetration testing are conducted by Approved Scanning Vendors (ASVs).
• M-Pesa transactions are processed in compliance with Safaricom's API security standards and the CBK's National Payment System regulations.
• Cryptocurrency transactions are validated on-chain and processed through established, audited smart contracts where applicable.

5. Data Protection

Pledgr processes personal data in compliance with both the Kenya Data Protection Act, 2019 (DPA) and the European Union General Data Protection Regulation (GDPR). Our data protection compliance programme includes:

• Appointment of a Data Protection Officer (DPO) who oversees compliance and serves as the point of contact for data subjects and the ODPC.
• Registration with the Office of the Data Protection Commissioner of Kenya as a data controller and processor.
• Data Protection Impact Assessments (DPIAs) for high-risk processing activities.
• Privacy by design and by default principles embedded into our product development lifecycle.
• Comprehensive data processing agreements with all third-party processors.
• Mechanisms for users to exercise their data subject rights, including access, rectification, erasure, and portability.
• Breach notification procedures in compliance with the 72-hour notification requirement under GDPR and the DPA.

For full details on how we collect, use, and protect your personal data, please refer to our Privacy Policy.

6. Tax Compliance

Pledgr complies with all applicable tax laws and regulations. Our tax compliance measures include:

• Registration with the Kenya Revenue Authority (KRA) and timely filing of all required tax returns.
• Collection and remittance of Value Added Tax (VAT) on platform fees where applicable, in accordance with the VAT Act, 2013.
• Compliance with withholding tax obligations on payments to Drive Creators as required by the Income Tax Act.
• Digital Service Tax compliance for cross-border transactions as applicable under Kenyan tax law.
• Provision of annual transaction summaries to Drive Creators to assist with their personal or organisational tax filings.
• Cooperation with tax authorities in response to lawful information requests.

Important: Pledgr does not provide tax advice. Drive Creators and pledgers are responsible for understanding and meeting their own tax obligations. We recommend consulting a qualified tax professional regarding the tax implications of creating or contributing to a Drive.

7. Reporting Obligations

Pledgr fulfils its reporting obligations to relevant authorities, including:

• Suspicious Transaction Reports (STRs) to the Financial Reporting Centre (FRC) as required under POCAMLA.
• Currency Transaction Reports (CTRs) for transactions exceeding prescribed thresholds.
• Data breach notifications to the Office of the Data Protection Commissioner within 72 hours of becoming aware of a qualifying breach.
• Regulatory filings and reports as required by the Capital Markets Authority and other relevant bodies.
• Annual compliance reports to our Board of Directors and, where required, to regulatory authorities.

Our compliance team conducts regular internal audits to ensure that all reporting obligations are met accurately and on time. We also engage external auditors annually to independently verify our compliance programme.

8. Contact Compliance Team

If you have any questions about our compliance programme, wish to report a concern, or need to submit a regulatory inquiry, please contact our compliance team:

We also maintain a confidential whistleblower channel for reporting suspected violations of law or internal policy. Reports can be made anonymously and will be investigated thoroughly. Pledgr prohibits retaliation against any person who makes a good-faith report.