Documentation

Risk Management Policy

1. Introduction

This Risk Management Policy (“Policy”) establishes the framework for identifying, assessing, mitigating, monitoring and reporting risks arising from the online gambling activities of Onmidev Ltd. (“Company”) licensed in Anjouan and incorporated in Belize.
The Policy is designed to ensure compliance with Anjouan gaming legislation, licence conditions and AML/CTF requirements, and alignment with international standards such as FATF recommendations, GDPR (where applicable), ISO 31000 and recognised responsible‑gambling guidelines.

As a company incorporated in Belize, Onmidev Ltd. also aligns its governance, internal‑control and risk‑management framework with the Belize Companies Act, 2022 and Belize’s national AML/CFT policy and strategy.

The objectives of this Policy are to:

  • Safeguard the financial stability, operational integrity and reputation of Onmidev Ltd.

  • Ensure regulatory compliance with all applicable Anjouan laws, licence conditions and reporting requirements.

  • Mitigate legal, financial, operational, cybersecurity and reputational risks through a documented risk‑based approach.

  • Promote responsible gambling and consumer protection across all products and channels.

  • Ensure that governance, internal‑control and reporting arrangements support directors’ duties and corporate‑governance expectations under Belize company law and national AML/CFT policy.

  • Establish clear governance, responsibilities and effective risk reporting and escalation.

This Policy applies to all gambling‑related activities conducted under the Anjouan licence of Onmidev Ltd., and to all employees, executives, directors, contractors, agents and third‑party service providers involved in its operations.

2. Governance and regulatory framework

Onmidev Ltd. is licensed and supervised in Anjouan for iGaming activities and is incorporated under the Belize Companies Act, 2022 for corporate‑law purposes.

2.1 Director’s role

The Director/Board of Onmidev Ltd. holds ultimate responsibility for implementing and overseeing the Company’s risk‑management framework.
Responsibilities include approving this Policy and the risk appetite, integrating risk management into strategic decisions, receiving and reviewing risk reports and ensuring the Company operates within Anjouan licence requirements.

2.2 Senior management

Senior Management (CEO, CFO, COO, CCO, CTO, CRO as applicable) is responsible for executing the risk‑management strategy across all business units.
They implement internal controls, supervise risk assessments and key risk indicators, ensure adherence to policies and escalate material risks and incidents to the Director and Compliance/Risk functions.

2.3 Compliance and Risk Management Team

The Compliance and Risk Management Team ensures Onmidev Ltd. operates in full compliance with Anjouan gaming laws, licence conditions and AML/CTF requirements.
The team monitors regulatory change, conducts periodic risk assessments, implements AML/KYC, responsible‑gambling and cybersecurity measures, investigates suspicious activity and coordinates staff training.

2.4 Belize corporate governance and internal control

Onmidev Ltd. recognises that the Belize Companies Act, 2022 requires directors to exercise due care, act in the best interests of the company and ensure proper records and internal controls.
The Board and Senior Management therefore maintain documented governance arrangements, clear delegation of authority and appropriate internal‑control and risk‑management systems proportionate to the nature, size and complexity of the business.

2.5 Internal and external auditors

Onmidev Ltd. engages internal and external auditors to provide independent assurance on the effectiveness of its risk‑management framework.risk-management-policy.docx
Auditors review internal controls, financial integrity, technical standards and compliance with Anjouan requirements and report findings with required remediation actions to the Director and Senior Management.

2.6 Reporting and escalation

The Company maintains formal risk reporting and escalation procedures covering fraud, AML/CTF breaches, cybersecurity incidents, regulatory issues and other material risks.risk-management-policy.docx
Quarterly risk reports are prepared for the Director, and urgent incidents trigger immediate escalation according to defined thresholds and timelines.

3. Risk identification and assessment

3.1 Risk categorisation

Onmidev Ltd. classifies risks into the following categories:

  • Regulatory and compliance risks: Non‑compliance with Anjouan gaming laws, licence conditions, AML/CTF obligations and data‑protection/privacy rules.

  • Financial risks: Money laundering, fraud, chargebacks, fund mismanagement, liquidity and solvency issues, taxation and fee under‑payment.

  • Operational risks: Platform downtime, process failures, errors, inadequate KYC or player authentication, weaknesses in responsible‑gambling controls.

  • IT and cybersecurity risks: Cyber‑attacks, data breaches, insider threats, weak encryption, ransomware and DDoS incidents.

  • Reputational and market risks: Negative publicity, regulatory or political changes, unethical marketing or partnerships, shifting competition and player preferences.

3.2 Risk‑assessment framework

Onmidev Ltd. employs a risk‑based approach (RBA) to identify, analyse, measure and respond to risks.
Risks are assessed using a documented methodology and a likelihood‑impact matrix, with treatment options including mitigation, transfer, acceptance or avoidance.

3.3 Risk rating and scoring

Risks are scored on a five‑level scale (Low, Moderate, Significant, High, Critical) by combining likelihood and impact.
Significant, High and Critical risks are escalated to Senior Management and the Director and require defined mitigation plans and time‑bound follow‑up.

3.4 Materiality and tolerance

Risk‑tolerance thresholds are defined for key risk types and aligned to Anjouan regulatory expectations and the Company’s strategy.
Zero tolerance applies to breaches of AML/CTF rules, licence conditions and responsible‑gambling standards; other risks have calibrated limits and triggers.

4. Regulatory and AML/CTF risks

4.1 Compliance with Anjouan licensing requirements

Onmidev Ltd. operates under an Anjouan Gaming Licence and must meet strict requirements on fair gaming, financial integrity and player protection.
The Company maintains accurate records, cooperates with inspections and audits, notifies the regulator of material changes in ownership or operations and implements responsible‑gambling and reporting obligations in line with licence conditions.

4.2 AML/CTF and international standards (Anjouan and Belize)

The Company implements an AML/CTF framework consistent with Anjouan AML legislation, the Belize Money Laundering and Terrorism (Prevention) Act, Cap. 104, and Belize’s National AML/CFT/CPF Policy and Strategy, applying a documented risk‑based approach.
Controls include a business‑wide ML/TF risk assessment, appointment of an MLRO, CDD/EDD, record‑keeping, ongoing monitoring, sanctions/PEP screening, suspicious‑activity reporting and regular training for relevant staff.

Onmidev Ltd. takes into account findings from any Belize national or sectoral risk assessments when updating its ML/TF risk assessment and controls.

4.3 Responsible gambling and player protection

Onmidev Ltd. maintains policies and tools to identify and mitigate gambling‑related harm, including self‑exclusion, limits, RG messaging and proactive monitoring of high‑risk patterns.
Customer‑facing staff receive training to recognise problem‑gambling indicators and to support interventions, referrals and complaint handling.

4.4 KYC and due diligence

Strict KYC and CDD measures are applied to all players to prevent fraud, underage gambling and financial crime.
The Company verifies identity, age, address and payment instruments, performs EDD for higher‑risk customers and conducts ongoing monitoring and, where necessary, source‑of‑funds/wealth checks.

4.5 Data protection and privacy

Onmidev Ltd. protects customer data through appropriate technical and organisational measures aligned with applicable data‑protection rules and international good practice.
Measures include encryption, access controls, secure storage, regular security reviews and an incident‑response process for breaches.

5. Financial risks

5.1 Fraud prevention and detection

The Company implements tools and processes to detect and prevent fraud, such as chargeback abuse, identity theft and bonus abuse.
Controls include real‑time monitoring, anomaly detection, MFA, geolocation checks, blacklists and staff vetting.

5.2 Payment processing and fund security

Onmidev Ltd. partners only with vetted payment service providers that meet robust security and compliance standards.
Transactions are encrypted, subject to limits and monitored, and payment methods undergo due diligence before integration.

5.3 Solvency and liquidity

The Company maintains sufficient reserves and separates player funds from operational accounts to ensure all player obligations can be met.
Stress tests and liquidity forecasting are used to anticipate adverse conditions and maintain financial resilience.

5.4 Credit and counterparty risk

Due diligence is performed on all financial and strategic partners, with monitoring of financial stability, jurisdictional risk and contractual performance.
Contracts include risk‑mitigation clauses such as indemnities, SLAs and termination rights.

5.5 Revenue and taxation

Revenues are recognised in line with applicable accounting standards and the Company complies with its tax and fee obligations in relevant jurisdictions.
Tax and regulatory changes are monitored and reflected in internal processes as needed.

6. Operational risks

6.1 Platform security and resilience

The platform is monitored 24/7, supported by layered security (firewalls, IDS/IPS, encryption) and resilient infrastructure with redundancy and backups.
Penetration tests and vulnerability assessments are conducted regularly, and strict access controls apply to critical systems.

6.2 Business continuity and disaster recovery

Onmidev Ltd. maintains a Business Continuity and Disaster Recovery (BCDR) Plan covering critical functions, backup strategies, failover, crisis communication and regular testing.
BCDR results are reviewed by Senior Management and used to improve resilience.

6.3 Third‑party and outsourcing

Third‑party providers (platforms, PSPs, hosting, KYC, support) are risk‑assessed before onboarding and on an ongoing basis.
Contracts define data‑security, SLAs, compliance responsibilities and audit rights; contingency plans exist for provider failure.

6.4 Human resources and insider threats

Background checks, role‑based access, NDAs, training and activity monitoring mitigate insider risks.
An anonymous whistleblowing mechanism allows staff to report concerns without retaliation.

6.5 Dispute resolution and complaints

Onmidev Ltd. maintains a structured complaints and dispute‑resolution process consistent with Anjouan licensing expectations.
Complaints are logged, investigated within set timeframes and used as input for control improvements.

7. IT and cybersecurity risks

7.1 Cyber‑threat and breach prevention

The Company operates a multi‑layered cybersecurity programme including network security, endpoint protection, logging and monitoring.
Zero‑trust principles, least‑privilege access and continuous authentication are applied where appropriate.

7.2 Secure development and change management

Secure SDLC and DevSecOps practices are followed for all internal development and integrations.
Changes are documented, tested, approved and rolled back where needed via formal change‑management procedures.

7.3 Incident response

A Cybersecurity Incident Response Plan (CIRP) defines detection, containment, investigation, notification and post‑incident review activities.
Significant incidents are escalated to Senior Management and, where required, notified to relevant external stakeholders.

7.4 Access controls and authentication

Multi‑factor authentication, role‑based access, account‑lockout rules and session timeouts apply to systems and high‑value transactions.
Periodic access reviews validate that permissions remain appropriate.

7.5 Testing and security audits

Regular internal security audits and independent penetration tests are carried out, with remediation tracked to completion.
Key vendors are required to meet defined security standards and may be subject to security assessments.

8. Reputational and market risks

8.1 Social responsibility and ethics

Onmidev Ltd. commits to ethical conduct, responsible gambling and fair treatment of customers, staff and partners.
Bribery, corruption, regulatory manipulation and deceptive marketing are prohibited.

8.2 Media and public relations

The Company maintains media protocols, designates spokespersons and monitors media and social channels for reputational issues.
Crisis‑communication procedures support rapid, consistent responses to adverse events.

8.3 Market dynamics and competition

Onmidev Ltd. tracks industry trends, competitor developments and regulatory changes in target markets and adjusts strategy and product offerings accordingly.
Diversified revenue streams and contingency planning help mitigate adverse market shifts.

8.4 Political and geopolitical factors

The Company assesses political and regulatory risks in current and prospective markets and avoids jurisdictions that are incompatible with its licence, risk appetite or compliance standards.
Where exposure exists, risk‑mitigation and exit strategies are defined.

9. Monitoring, reporting and review

9.1 Ongoing monitoring

Onmidev Ltd. continuously monitors transactions, player behaviour, security events and regulatory developments using automated and manual tools.
Quarterly risk reviews assess emerging threats and the effectiveness of existing controls.

9.2 Internal and external reporting

A structured reporting framework ensures regular updates to management and the Director, including key risk indicators, incidents, breaches and remediation status.
Regulatory reporting obligations to Anjouan (e.g. AML/CTF reports, licence returns, incident notifications) are met in a timely and accurate manner.

The Company’s internal‑control, record‑keeping and reporting processes are designed so that directors can demonstrate effective oversight and risk management in line with expectations under the Belize Companies Act, 2022 and general corporate‑governance practice in Belize.

9.3 Continuous improvement

This Policy and the risk framework are reviewed at least annually and after significant incidents or regulatory changes.
Feedback from audits, incidents and regulatory findings is used to enhance controls and procedures.

9.4 Audits and inspections

Internal and external audits validate compliance with this Policy, Anjouan licence requirements and applicable standards.
The Company cooperates fully with regulatory inspections and promptly implements corrective actions.risk-management-policy.docx

10. Enforcement, training and awareness

Onmidev Ltd. applies a zero‑tolerance approach toward serious policy violations, including non‑compliance with Anjouan obligations, financial crime, serious responsible‑gambling failures and data‑security breaches.
All relevant personnel receive initial and periodic training on this Policy, AML/CTF, responsible gambling, data protection, cybersecurity and ethics, with attendance and understanding documented.

11. Approval and effective date

This Policy is approved by the Board/Director of Onmidev Ltd. and takes effect from 3 December 2025, remaining in force until replaced or superseded.
The Chief Risk Officer and Chief Compliance Officer are responsible for maintaining, updating and communicating this Policy and ensuring its integration into operational procedures.