ZYC-COMP-HDBK – Compliance Handbook

Purpose

This handbook explains how compliance operates at Zeyro — who is responsible for what, how our control framework fits together, and how we meet our obligations under the UK regulatory regime. It links to the firm’s policies, registers, and monitoring plans.

Scope

Applies to all Zeyro staff, directors, and contractors engaged in the firm’s regulated and unregulated business activities:

  • Approval of cryptoasset financial promotions;

  • Approval of Overseas Fund Regime (OFR) promotions;

  • Facilities services under MiFID (arranging).

1. Regulatory Context

Zeyro Limited is authorised and regulated by the Financial Conduct Authority (FRN 1001386) for arranging (bringing about) deals in investments and agreeing to carry on a regulated activity. Our compliance framework aligns with the UK MiFID framework, FSMA 2000, and all UK rules derived from EU law (as currently in force in the UK).

Key Rulebooks

  • PRIN – FCA Principles for Business (integrity, skill, fairness, communication, etc.)

  • SYSC – Senior Management Arrangements, Systems and Controls

  • COCON – Conduct Rules for all staff

  • COBS – Conduct of Business

  • DISP – Complaints handling

  • MLRs 2017 – AML/CTF obligations

  • DPA 2018 – UK Data Protection Act and GDPR as implemented in UK law

2. Our Compliance Model

Senior Management Functions

  • Gareth Malna – SMF16/17 (Compliance Oversight and MLRO); Director and Board member

  • Wayne Green – Director (non-SMF) supporting governance, risk, and operations

  • Giles Swan – Non-Executive Director responsible for independent challenge at Board level

The Board

Holds overall accountability for compliance and culture, approves all policies, and reviews key registers quarterly (conflicts, complaints, inducements, training, etc.).

The Compliance Function

Led by Gareth Malna. Operates independently, with authority to review, challenge, and escalate issues directly to the Board. Maintains:

  • The Compliance Monitoring Plan (testing frequency and scope)

  • The Policy Register

  • The Regulatory Breach and Incident Log

3. Framework Components

Component

Purpose

Where Held

Policies

Define principles and controls.

GitBook

Procedures

Describe how staff follow each process.

Jira workflows

Registers

Record actions, exceptions, or approvals.

Jira

Monitoring Plan

Sets testing schedule and evidence requirements.

Confluence

Board Minutes

Evidence oversight and review.

Confluence

4. Core Policies (Summary)

Area

Policy Code(s)

Purpose

Conduct & Governance

ZYC-GOV-001, ZYC-COM-001, ZYC-CON-001

Defines accountability and oversight.

Financial Crime and Integrity

ZYC-AML-001, ZYC-ABC-001, ZYC-FRD-001, ZYC-MAR-001

Prevents misuse of Zeyro’s services.

Clients & Services

ZYC-ONB-001, ZYC-CLC-001, ZYC-FINPROM-001, ZYC-CRYRISK-001

Sets onboarding and approval standards.

Operations and Information

ZYC-INFO-001, ZYC-OUT-001, ZYC-BCP-001

Protects systems, data, and continuity.

Culture & HR

ZYC-FIT-001, ZYC-TRN-001, ZYC-DIV-001

Ensures competence, integrity, and fairness.

All policies are available in GitBook and version-controlled via the Policy Register.

5. Compliance Monitoring

The Compliance Monitoring Plan (ZYC-COMP-MON) defines periodic and thematic reviews. Typical monitoring areas include:

  • AML / CTF controls and DotFile onboarding

  • Financial promotion approval quality

  • Ongoing monitoring of client promotions

  • Data-protection compliance

  • Complaints and conflicts registers

  • Staff conduct and SMCR adherence

Findings are reported quarterly to the Board, with actions tracked to closure in Jira Service Management.

6. Risk Management Linkage

Compliance works hand-in-hand with the Risk Management Policy (ZYC-RISK-001) and the Business-Wide Risk Assessment. Each compliance test and policy maps back to a specific risk in the BWRA.

7. Escalation and Breach Handling

  • Any potential breach of law, regulation, or policy must be reported immediately to the MLRO.

  • The MLRO logs breaches in the Regulatory Breach Register.

  • Serious issues are escalated to the Board and, where appropriate, the FCA via SUP notifications.

8. Interaction with the Regulator

Zeyro’s relationship with the FCA must remain open and cooperative (Principle 11). All regulatory communications are logged in Confluence. The MLRO is the single point of contact for all supervisory correspondence.

9. Record-Keeping

Records must be:

  • Accurate, retrievable, and tamper-evident;

  • Retained for five years (or longer if required by law);

  • Stored within Microsoft 365, Atlassian Suite, and other approved repositories.

10. Culture and Ethics

Compliance at Zeyro is built on three principles:

  1. Transparency – issues are surfaced early;

  2. Integrity – decisions are made in the open;

  3. Accountability – responsibility sits where authority lies.

These principles underpin the FCA Conduct Rules and Zeyro’s internal Code of Conduct & Ethics Policy (ZYC-ETH-001).

Review and Maintenance

The MLRO reviews this handbook annually to ensure consistency with regulatory expectations and Zeyro’s operational structure.

Document Control

Field

Details

Document Code

ZYC-COMP-HDBK

Document Title

Compliance Handbook

Document Owner

Gareth Malna – MLRO (SMF16/17)

Responsible Reviewer(s)

Zeyro Board

Version

v1.0

Date Approved

October 2025

Next Scheduled Review

October 2026

Change History

v1.0 (Oct 2025): Replaced legacy Compliance Manual; streamlined structure to reflect policy-based framework and GitBook publication.

Classification

Internal handbook – available to all staff and regulators on request.

PreviousPolicy RegisterNextZYC-COMP-MON – Compliance Monitoring Plan

Last updated