Policies
KYB - KYC Policy
Last updated on 18/02/2026 at 18:24
UNIFIED KNOW YOUR CUSTOMER AND KNOW YOUR BUSINESS (KYC/KYB) POLICY - GOATCOM
1. Introduction, Purpose, and Scope
1.1. Introduction and Institutional Commitment
1.1.1. GOAT COMMERCE LTDA (“GOATCOM”), a limited liability company, registered under CNPJ No. 60.126.754/0001-14, acts as a sub-acquirer and payment solutions provider in the Brazilian Payment System (SPB) ecosystem. Goatcom recognizes that its operations place it in a context of high regulatory responsibility and risk.
1.1.2. This Unified Know Your Customer and Know Your Business (KYC/KYB) Policy is the master document that formalizes Goatcom's Senior Management commitment to Anti-Money Laundering and Combating the Financing of Terrorism (AML/CFT) and fraud prevention. The adoption of this policy demonstrates due diligence and concern for the integrity of the financial market.
1.2. Purpose and Objectives
1.2.1. The purpose of this Policy is to establish a set of exhaustive procedures for the identification, verification, risk classification, and continuous monitoring of all parties that interact with Goatcom. The objectives include:
- Regulatory Compliance: Ensuring strict adherence to legislation, especially BCB Circular No. 3,978/2020 and Law No. 9,613/1998.
- Risk-Based Approach (RBA): Implementing a risk management system that allows for the efficient allocation of due diligence resources.
- Risk Mitigation: Preventing the platform from being used for financial crimes, money laundering, and terrorism financing.
- Institutional Protection: Protecting Goatcom from regulatory sanctions, financial losses, and reputational damage.
1.3. Scope and Coverage
1.3.1. This Policy has broad and mandatory application to Goatcom's entire value chain, covering Individuals (KYC), Legal Entities (KYB), employees, and third parties with access to sensitive data or involvement in onboarding processes.
2. Legal Fundamentals and Regulatory Framework
2.1. Goatcom's KYC/KYB structure is built on a solid legal and regulatory foundation:
| Standard | Detailed Description | Relevance to Goatcom |
|---|---|---|
| Law No. 9,613/1998 | Provides for the crimes of "laundering" or concealment of assets and establishes the obligation to report to COAF. | Primary law defining Goatcom's responsibility in processing financial transactions. |
| BCB Circular No. 3,978/2020 | Establishes the policy and internal controls focusing on the Risk-Based Approach (RBA). | Main technical reference adopted in full to demonstrate regulatory robustness. |
| BCB Circular Letter No. 4,001/2020 | Discloses the list of operations that may constitute indications of "laundering" crimes. | Guides the parameterization of Goatcom's transaction monitoring systems. |
| BCB Resolution No. 501/2025 | Reinforces controls for fraud prevention, with emphasis on rejecting transactions for suspicious accounts. | Mandates the integration of fraud combat with AML/CFT and real-time monitoring. |
| COAF Resolution No. 40/2021 | Provides for procedures in the identification of Politically Exposed Persons (PEPs). | Defines the criteria and enhanced due diligence (EDD) mandatory for relationships with PEPs. |
| Law No. 13,709/2018 (LGPD) | General Personal Data Protection Law. | Ensures that data processing is carried out with security, transparency, and legitimate purpose. |
3. Governance, Structure, and Responsibilities
3.1. Governance Structure and Lines of Defense
3.1.1. KYC/KYB governance at Goatcom is structured on the Three Lines of Defense model:
| Line of Defense | Structure | Primary Responsibility |
|---|---|---|
| First Line | Business Units | Execution of KYC/KYB procedures in onboarding and initial monitoring. |
| Second Line | Compliance Directorate (MLRO) | Formal supervision before BACEN/COAF and management of the due diligence team. |
| Third Line | Internal Audit | Independent and periodic evaluation of control effectiveness. |
| Senior Management | Executive Board | Approval of the Policy, definition of Risk Appetite, and resource allocation. |
3.2. Principles of Action and Duties
3.2.1. Goatcom adopts non-negotiable principles: Proportionality (diligence according to risk), Confidentiality (compliance with LGPD), Non-Retaliation (protection of the whistleblower), and Duty of Collaboration of all employees.
4. Risk-Based Approach (RBA) and Internal Risk Assessment (IRA)
4.1. The IRA is a formal process carried out annually to identify vulnerabilities. It considers four main risk factors:
- Customer: Profile of the Individual or Legal Entity, reputation, and complexity (e.g., PEPs, complex corporate structures).
- Geography: Location of headquarters or origin of transactions (e.g., high-risk jurisdictions GAFI/FATF).
- Product/Service: Inherent risk of services (e.g., anticipation of receivables, high speed).
- Distribution Channel: Means of access (e.g., open APIs, third-party integrations).
4.2. Risk Matrix and Due Diligence Levels
| Risk Level | Applied Diligence | Registration Review Frequency |
|---|---|---|
| Low | Simplified Due Diligence (SDD) | Every 2 years |
| Medium | Standard Due Diligence (StdDD) | Annual |
| High | Enhanced Due Diligence (EDD) | Semiannual and Continuous |
4.3. Risk Appetite and Zero Tolerance
4.3.1. Goatcom adopts zero tolerance for relationships involving international sanctions lists (OFAC, UNSC), indications of terrorism financing, or refusal to provide essential information.
5. Due Diligence Procedures for Individuals (KYC)
5.1. Simplified Due Diligence (SDD): Collection of basic data (Name, CPF, address) and automated verification with the Federal Revenue Service.
5.2. Standard Due Diligence (StdDD): Requires photo ID, proof of residence, facial biometrics with proof of life (Liveness), and consultation of restrictive lists and negative media.
5.3. Enhanced Due Diligence (EDD): Applied to High Risk and PEPs. Requires verification of source of wealth (Income Tax Return, balance sheets), formal interview, and approval by the AML/CFT Committee.
6. Due Diligence Procedures for Legal Entities (KYB)
6.1. Simplified Due Diligence (SDD): Collection of CNPJ, Company Name, and verification of "Active" registration status.
6.2. Standard Due Diligence (StdDD): Requires corporate documentation (Articles of Association), CNAE analysis, clearance certificates, and KYC of legal representatives.
6.3. Enhanced Due Diligence (EDD): Includes mandatory identification of the Ultimate Beneficial Owner (UBO) with detection of control above 25%, analysis of complex corporate chains, verification of source of funds, and on-site or virtual visits.
7. Continuous and Transactional Monitoring
7.1. Goatcom uses systems parameterized according to BCB Circular Letter No. 4,001/2020 to detect atypical patterns such as Fractioning (Smurfing), Circular Transactions, and Profile Incompatibility.
7.2. According to BCB Resolution No. 501/2025, the company performs mandatory rejection of transactions for accounts suspected of fraud and actively collaborates in information exchange with other institutions.
8. Data Treatment, Security, and LGPD
8.1. Data is processed exclusively for compliance with legal obligations (Art. 7, II of the LGPD). Goatcom adopts encryption, restricted access control (MFA), and audit logs.
8.2. Documents are maintained for a minimum period of 5 (five) years after the end of the relationship, as required by law.
9. Training, Audit, and Sanctions
9.1. The company conducts mandatory annual training for all employees and independent annual audits to evaluate the effectiveness of controls.
9.2. Non-compliance with requirements results in onboarding refusal or immediate contract termination, with blocking of funds and communication to authorities (COAF, BACEN).
10. Final Provisions
10.1. This Policy enters into force on the date of its approval. Approved by the Goatcom Executive Board on January 16, 2026 (Version 3.0).
10.2. GOAT COMMERCE LTDA - CNPJ: 60.126.754/0001-14
Our team of specialists is ready to help you scale. Talk to a consultant now.