Aku presents itself as a Nigeria-based, “payments-led digital bank” offering wallets, transfers, bill pay, cards, and merchant tools. The operator claims CBN licensing via Akupay Services Limited. R42 has received an unverified whistleblower allegation involving “Visa penalty letters” and merchant penalties. Status: Under Review.

---

1) R42 Risk Signal

• Traffic Light: ⚫ Under Review

• Confidence Grade: Corroborated (licensing footprint) / Unknown (allegation specifics)

• Rationale (brief): Aku’s claimed operator (Akupay Services Limited) appears on the Central Bank of Nigeria’s published list of Payment Solution Service Providers (PSSP). However, R42 has received an unverified whistleblower allegation alleging fabricated “Visa penalty letters” and penalty demands. We do not yet have primary documents (letters, case IDs, acquirer confirmations, settlement statements) to verify or falsify the claim.

---

2) Key Data (at-a-glance)

---

3) What the Company Does (business model)

Aku markets “easy payments + simple banking,” typically associated with:

• Consumer functions: wallet/account features, transfers, bill payment, card access (where available).

• Merchant functions: tools to receive payments, including QR-style acceptance and “turn any phone into a POS” style positioning (exact technical stack and partners not yet independently verified by R42).

• Rail role: Aku sits in the collection + distribution layer (merchant acceptance and consumer payments), with potential upstream dependencies (banks, acquirers, card-program partners, switches). Those dependencies matter for compliance and dispute handling.

---

4) Regulatory & Legal Framework (Nigeria — why it matters)

Aku’s website presents CBN licensing via Akupay Services Limited. A PSSP authorisation is a payments-system licence category—not automatically the same as a deposit-taking commercial bank licence. In practice, compliance questions for merchants and users include:

• Which regulated entity holds customer funds (if any) and under what safeguarding model?

• Who the upstream bank/acquirer is for card acceptance and settlement.

• What activities are performed directly vs via partners (e.g., issuing, acquiring, switching, wallets, agency banking).

Baseline compliance expectations in Nigeria commonly include:

• AML/CFT controls (CDD/KYC, monitoring, suspicious reporting pathways, sanctions screening).

• Data protection duties for customer/merchant data processing and security governance.

• Consumer/merchant protection: transparent fees, dispute processes, complaint handling, and fair termination/reserve terms.

R42 note: Regulatory compliance can exist alongside operational misconduct allegations. The key is whether controls and governance actually prevent abuse—and whether any alleged practice can be verified.

---

5) Ownership, Founders, Executives (best-effort; verification gaps)

What we can identify from open sources

• Adaeze “Dezzy” Onwumere (Ogakwu) is publicly described as CEO and co-founder in interviews and professional profiles.

• Additional co-founder references exist in third-party profiles, but R42 treats these as leads unless confirmed via official corporate filings or direct company confirmation.

Verification gaps (what we still need)

To confirm directors, shareholders, and beneficial owners (UBOs), R42 needs:

• Corporate Affairs Commission (CAC) extracts (directors, shareholding/PSC/beneficial ownership where available),

• or equivalent official registry documentation,

• plus confirmation of any holding entities and control persons.

---

6) Corporate Structure & Related Entities (as represented)

Aku’s website asserts:

• Operator: Akupay Services Limited

• Brand ownership (trademark): Aku Fintech Services Ltd (Lagos)

R42 has not verified whether these are:

• separate group entities with a holding structure, or

• a branding/legacy separation for IP purposes.

---

7) Products, Integrations & Technical Footprint (risk lens)

Key items R42 will track and update as evidence emerges:

• Merchant onboarding controls: what KYC/KYB checks are performed, and at what thresholds.

• API fields and merchant attribution: the whistleblower alleges the API prompts for a “source URL.” If true, this could be benign (merchant descriptor/metadata) or risky (used to attribute “violations” without proper case evidence). Unverified.

• Dispute handling: how chargebacks/disputes are routed (merchant → processor → acquirer → scheme flow), and who has authority to issue penalty notices.

---

8) What “Penalty Letters” are (and why fake ones are serious)

In card payments, “penalty letters” (or scheme program notices) typically relate to card-network or acquirer compliance programs—often triggered by elevated chargebacks, fraud rates, data-quality issues, or prohibited activity. Legitimate notices normally include a verifiable case reference/program, clear identification of the acquirer (and sometimes scheme program), dates/metrics, and an escalation path through the acquiring chain.
If an intermediary fabricates such letters (e.g., no verifiable case ID, no acquirer confirmation, inconsistent letterhead), the “penalty” can become a pretext to extract money from merchants—potentially constituting misrepresentation, fraud, and unjust enrichment, depending on facts and jurisdiction.

---

9) Complaints, Allegations, Enforcement, Litigation

Public complaints & signals

As of 2026-01-15, R42 has not compiled a confirmed public enforcement record tied to Aku/Akupay in major open sources reviewed for this initial listing. This will be updated if regulator notices, court filings, or verified complaint clusters emerge.

Whistleblower / insider report (UNVERIFIED)

R42 received a whistleblower tip alleging:

• “falsified Visa penalty letter” without case ID,

• alleged penalties in the ₦50,000–₦60,000 range,

• and a claim that the processor’s API requests a source URL, which is then allegedly referenced in the penalty letter.

Status: R42 cannot currently verify or falsify these claims. We have not reviewed the underlying documents, headers, emails, or acquirer confirmations.

What would verify or debunk this quickly

• A copy of the alleged “penalty letter” (full header/footer, metadata, and any case/program identifiers),

• proof of who requested payment and where funds were sent,

• merchant contract terms authorising “penalties,”

• and written confirmation from the upstream acquirer/bank whether a real scheme case exists.

---

10) Risk Factors & Red Flags (current)

Regulatory risk

• Unclear separation between “digital bank” marketing and the exact licence scope for each product line.

AML/CFT risk

• Unknown KYB/KYC depth for merchants and transaction monitoring controls (needs evidence).

Merchant harm risk

• Unverified allegation of fabricated penalties and pressure tactics.

Operational/continuity risk

• Dependence on upstream partners (acquirers, issuing partners, switches) not transparently disclosed in public materials reviewed.

Transparency/ownership risk

• UBO/ownership currently unconfirmed without CAC filings.

---

11) Merchant Due-Diligence Checklist (Actionable)

If you are a merchant considering Aku (or any similar PSP), request and verify:

Regulatory & corporate

• Proof of the relevant CBN authorisation and the exact licensed entity name.

• CAC extract showing directors and ownership/PSC where available.

• Contracting entity name in your agreement must match the licensed operator.

Payments & settlement

• Who is the acquiring bank / acquirer sponsor (name + confirmation letter).

• Settlement bank details, settlement timelines, reserve/holdback terms, termination clauses.

Disputes & “penalties”

• Written policy explaining when penalties apply, who assesses them (acquirer/scheme vs processor), and how case IDs are provided.

• If you receive a “scheme penalty notice,” require:

  • a case/program identifier,

  • acquirer confirmation via official channels,

  • and consistency of letterhead, contact points, and referenced metrics.

Security & data

• Data protection posture (security controls, retention, breach notification).

• Admin access controls for dashboards/APIs and audit logs for disputes/penalties.

Walk-away triggers

• Requests to pay “penalties” without acquirer confirmation or case reference.

• Inconsistent contracting entity names, changing bank accounts, or pressure to pay urgently.

---

12) Evidence Box (References used for this initial listing)

• Central Bank of Nigeria (CBN) payments provider list (PSSP authorisation category)

• Aku website (company footer / terms / FAQs pages reviewed)

• Public founder/CEO references (professional profiles and interviews)

• Nigeria AML/CFT and data protection framework references (for contextual compliance perimeter)

• Visa chargeback monitoring/penalty program background references (for explaining “penalty letters” concept)

---

13) Update Log (Evergreen)

• 2026-01-15: Initial R42 compliance listing published. CBN PSSP listing noted for “Akupay Services Limited.” Unverified whistleblower allegation logged regarding “Visa penalty letters.”

• Next scheduled checks:

  • CAC director/ownership extract (Akupay Services Limited; Aku Fintech Services Ltd)

  • Re-check CBN list for status changes

  • Collect and verify any alleged penalty-letter samples + acquirer confirmations

  • Merchant contract review (fees/penalty clause) and dispute process documentation

---

14) Call for Information (Whistle42)

Do you have evidence about Aku / Akupay Services Limited / Aku Fintech Services Ltd—especially merchant contracts, settlement statements, emails, penalty letters (with headers), bank/acquirer confirmations, CAC extracts, or regulator correspondence? Please submit it via Whistle42.com (anonymous if needed). We are particularly interested in (1) any “scheme penalty” documentation, (2) where funds were requested to be paid, and (3) whether an upstream acquirer confirmed a genuine case/program.