Compliance & regulation — BEAC, BCEAO, GDPR

01

Our ambition: payment solutions that are as innovative as they are compliant.

Our ambition is to offer payment solutions that are as innovative as they are compliant with current and forthcoming regulations across the African continent. At Nexus, compliance is not an add-on service: it is the very foundation on which our infrastructure is built.

Our mission: guarantee our clients efficient solutions that precisely address regulatory requirements, for a more transparent and responsible fintech ecosystem in Francophone West and Central Africa.

Zero tolerance for money laundering, terrorist financing, corruption and fraud. Every employee, integrator and partner of Nexus is held to the same ethical and regulatory standards.

02

Transparency & customer protection.

Nexus places transparency at the heart of its Mobile Money APIs and payment interoperability across West and Central Africa. Our commitments:

Public pricing — all fees are published on the website, no hidden charges, updated at least quarterly.
Mid-market FX rates — our margin on EUR/USD/GBP ↔ XAF/XOF conversions is publicly disclosed.
Timestamped receipts — every transaction generates a readable record for the end customer, with full fee, conversion and beneficiary details.
Customer funds protection — funds transiting via Nexus are held in segregated accounts at BEAC/BCEAO-licensed partner banks.
Dispute mediation — documented procedure with contractual SLAs and systematic escalation.

03

Payment system infrastructure.

Nexus operates a reliable payment infrastructure across West and Central Africa, designed to the highest standards of the global financial industry.

High availability: contractual uptime ≥ 99.98% over the last 12 months, auto-scaling, multi-zone redundancy.
Sovereign hosting: infrastructure physically hosted in Africa (Tier III certified data centers), with EU fallback.
Backup & BCP/DRP: encrypted backups at D+1, quarterly recovery tests, RPO ≤ 15 min / RTO ≤ 4h.
Interoperability: direct connections to Orange Money, Wave, MTN MoMo, Moov, YAS, Airtel, Vodacom M-Pesa and BCEAO/BEAC regional switches.
24/7 monitoring: in-house SOC, real-time alerting, on-call team with SLA ≤ 15 min on P0 incidents.

04

GDPR and local data protection laws.

Nexus secures all personal data processed in the context of its Mobile Money APIs, in compliance with the General Data Protection Regulation (EU 2016/679) and applicable local laws.

🇪🇺GDPREU Regulation 2016/679 — international transfers framed by SCCs

🇨🇮Ivorian lawLaw n° 2013-450 on personal data protection (ARTCI)

🇸🇳Senegalese lawLaw n° 2008-12 on data protection (CDP)

🇨🇲Cameroonian lawLaw n° 2010-012 on cybersecurity and cybercrime

🇧🇯Beninese lawLaw n° 2017-20 — Digital Code (APDP)

🇲🇦Moroccan lawLaw n° 09-08 on personal data protection (CNDP)

See our Personal Data Protection Policy for details on purposes, legal bases, retention periods and your rights.

05

Market structure & competition.

Our Mobile Money APIs are designed to adapt to local market structures and promote healthy competition between operators. Nexus operates in compliance with:

BCEAO Instruction n° 001-01-2024 — on e-money issuance and conditions for electronic money institutions in WAEMU member states.
COBAC Regulation R-2021/01 — on conditions for payment services activities in CEMAC.
Interoperability directive — commitments for interconnection between Mobile Money operators within and across countries.
Non-discriminatory pricing — Nexus applies the same terms to all partners for equivalent transactions.
No exclusivity — our clients remain free to work with multiple PSPs; our APIs are open and documented.

06

Governance & risk management.

Rigorous governance and effective risk management are essential for safe and reliable payment interoperability across West and Central Africa.

Risk committee

Chaired by the CEO and composed of CFO, CTO, CISO, CCO, MLRO and DPO. Meets monthly to review operational, financial, compliance, cyber and reputational risk mappings.

Three lines of defense

First line — controls embedded in business processes (KYC, screening, transaction monitoring, limits).
Second line — independent compliance, risk and control functions reporting to general management.
Third line — internal audit, annual external audits, regulatory reviews.

Annual mapping

Nexus publishes a consolidated annual risk management report to banking partners and regulators, including key indicators (fraud rate, rejection rate, processing times, incidents).

07

Regulators and applicable legal frameworks.

Nexus actively cooperates with all regulatory, supervisory and financial crime authorities of the countries where we operate.

BEACBank of Central African States — CEMAC (6 countries)

BCEAOCentral Bank of West African States — WAEMU (8 countries)

COBACCentral African Banking Commission

COFEB / SGCBGeneral Secretariat of the WAEMU Banking Commission

ANIF / CENTIFNational Financial Intelligence Units (Cameroon, Senegal, Ivory Coast…)

🇫🇷ACPR · TRACFINFrench prudential authority — EU-Africa transfers

FATFFinancial Action Task Force — 40 AML/CFT Recommendations

ARTCI · ARPT · ARCEPTelecom regulators for Mobile Money interoperability

08

Certifications, licenses and audits.

Our infrastructure and processes are regularly audited by recognized independent third parties. Each certification undergoes annual recertification and mid-cycle surveillance.

PCI-DSS Level 1International payment card data security standard — highest level

ISO/IEC 27001Information Security Management System (ISMS)

ISO/IEC 27701Privacy extension — privacy information management

ISO 22301Business Continuity Management (BCP/DRP)

SOC 2 Type IIIndependent audit on security, availability, confidentiality

Visa · MastercardPrincipal member of Visa and Mastercard schemes

09

Infrastructure security.

Data and fund security is our top priority. We apply defense-in-depth across the entire chain.

Encryption

In transit — TLS 1.3 with Perfect Forward Secrecy on all APIs.
At rest — AES-256 for databases and backups, keys managed via FIPS 140-2 Level 3 HSM.
Tokenization — card numbers and IBANs tokenized, never stored in cleartext.

Testing & audits

Annual pentests — external intrusion tests by specialized firms.
Bug bounty — public program with rewards for security researchers.
SAST / DAST — automated scans on every deployment.
Red team — biannual internal exercises simulating real attacks.

Authentication

Mandatory MFA for all employees and admin access.
Least privilege on all internal access.
Audit logs — exhaustive logging, 10-year retention, non-repudiation.

10

A dedicated compliance team.

Nexus invests in an experienced in-house compliance team, based in Douala, Abidjan and Paris, covering all geographies where we operate.

Chief Compliance Officer (CCO)Reporting to the CEO, oversees the entire compliance framework

MLROMoney Laundering Reporting Officer — dedicated to AML/CFT, liaison with CENTIF/ANIF

DPOData Protection Officer — GDPR and local data laws

CISOChief Information Security Officer — systems security

Ethics & Anti-Corruption OfficerDrives the Sapin II and anti-corruption framework

Compliance Help Desk24/5 support for clients and partners — compliance@nexus.com

11

Our detailed policies.

Nexus publishes its full compliance policies in the interest of transparency with clients, partners and regulators.

Personal Data ProtectionGDPR, rights, purposes, retention, DPO

→

Anti-Money Laundering (AML/CFT)KYC, vigilance, SARs, sanctions

→

Anti-CorruptionSapin II, FCPA, code of conduct, whistleblowing

→

Our fintech expertise is at the service of compliance.