Policies
Risk Management (RMP) Policy
Last updated on 18/02/2026 at 18:24
RISK MANAGEMENT POLICY (RMP) - GOATCOM
1. Introduction and Objective
1.1. The Risk Management Policy (RMP) of Goatcom is the guiding document that establishes the structure, guidelines, and responsibilities for integrated risk management throughout the organization. As a sub-acquirer operating within the Brazilian Payment System (SPB), Goatcom is subject to a variety of risks that can impact its financial stability, operational continuity, and reputation.
1.2. This policy was prepared in strict compliance with the regulations of the Central Bank of Brazil (BACEN), notably BCB Resolution No. 150/2021, which consolidates the rules on payment arrangements, and CMN Resolution No. 4,557/2017, which provides for the risk and capital management structure.
1.3. The fundamental objective of this RMP is to ensure that risks are identified, measured, evaluated, monitored, reported, controlled, and mitigated in a systematic and consistent manner. By establishing a robust risk culture, Goatcom aims to:
- Ensure the continuity of payment services provided to its customers.
- Protect the institution's capital and liquidity.
- Ensure compliance with current laws and regulations.
- Optimize strategic decision-making based on a clear view of risk appetite.
2. Scope and Applicability
2.1. This policy applies to all business units, processes, and employees of Goatcom. It covers all relevant types of risks, with a special focus on operational, liquidity, credit, and market risks, in addition to compliance and reputational risks.
3. Governance Structure and Risk Appetite
3.1. Three Lines of Defense Model
3.1.1. Goatcom adopts the Three Lines of Defense model, in accordance with international governance best practices:
| Line of Defense | Responsible Parties | Detailed Duties |
|---|---|---|
| 1st Line: Operational Management | Business Unit Managers, IT, and Operations | Responsible for identifying, evaluating, and mitigating risks inherent to their daily activities, implementing effective internal controls. |
| 2nd Line: Risk Management and Compliance | Risk Management Unit (RMU) and Compliance | Responsible for establishing risk management methodologies, monitoring adherence to risk appetite limits, and reporting exposures to the Board of Directors. |
| 3rd Line: Internal Audit | Internal Audit (Independent) | Responsible for performing independent and objective assessments of the effectiveness of the risk management structure and internal controls. |
3.2. Risk Appetite Statement (RAS)
3.2.1. The Executive Board annually defines the Risk Appetite Statement (RAS), which establishes acceptable risk levels. Goatcom has zero tolerance for risks involving internal fraud, money laundering, terrorist financing, and serious cybersecurity violations.
4. Managed Risk Categories
4.1. Operational Risk: Focuses on preventing losses resulting from failures in processes, people, systems, or external events. Includes Cyber Risk, Fraud Risk (real-time anti-fraud tools), and Legal Risk.
4.2. Liquidity Risk: Ensures that the company can honor its financial settlement obligations. Includes the preparation of projected cash flow and the maintenance of a Liquidity Contingency Plan (LCP).
4.3. Credit Risk: Manifests in the possibility of insolvency of a merchant or the occurrence of unrecovered chargebacks. Mitigated through KYC policies and retention of receivables in high-risk cases.
4.4. Market Risk: Monitoring of interest rate mismatches or variations in indices that may affect the value of financial assets and liabilities.
5. Risk Management Process
5.1. The process is continuous and composed of the following phases:
- Identification: Systematic mapping of new and emerging risks.
- Measurement and Evaluation: Assignment of probability and impact through a 5x5 Risk Matrix.
- Treatment and Mitigation: Definition of action plans, implementation of controls, or risk transfer (insurance).
- Monitoring: Tracking of Key Risk Indicators (KRIs), such as chargeback rates and system downtime.
- Reporting and Communication: Preparation of monthly reports for the Risk Committee and annual reports for the Central Bank.
6. Anti-Money Laundering and Combating the Financing of Terrorism (AML/CFT)
6.1. Goatcom adopts a rigorous AML/CFT policy in compliance with BACEN Circular No. 3,978/2020. The management of this risk is integrated into the global risk structure.
6.2. KYC procedures include the identification and qualification of merchants, identification of ultimate beneficial owners, and systematic verification of Politically Exposed Persons (PEP).
6.3. Transactional monitoring uses automated systems to identify signs of money laundering, with mandatory reporting to COAF in suspicious cases, maintaining absolute secrecy.
7. Business Continuity and Crisis Management
7.1. Aims to ensure the maintenance or resumption of critical activities. Includes Business Impact Analysis (BIA), Business Continuity Plan (BCP), and Disaster Recovery Plan (DRP), with annual testing.
8. Audit and Compliance Monitoring
8.1. The effectiveness of the structure is evaluated by Internal Audit and through Risk and Control Self-Assessments (RCSA) performed semi-annually by business unit managers.
8.2. Goatcom prepares an annual report detailing the risk management structure and the effectiveness of controls, keeping it available to the Central Bank of Brazil.
9. Final Provisions
9.1. Failure to comply with the guidelines of this Policy will subject those responsible to disciplinary sanctions, in addition to applicable civil and criminal liabilities.
9.2. This policy takes effect on the date of its approval and will be ordinarily reviewed every 12 months. Approved by the Executive Board of Goatcom on January 14, 2026 (Version 1.0).
9.3. GOAT COMMERCE LTDA - CNPJ: 60.126.754/0001-14
Our team of specialists is ready to help you scale. Talk to a consultant now.