Trusted by Zambian banks, MFIs, insurers & telcos

One Platform. Every Regulator. Complete Compliance.

Enterprise risk, AML/CFTP sanctions screening, control assessments and regulatory reporting — wired together for the way Zambia’s regulators actually work.

100+ integrated modules. 15 regulators wired. 17 compliance frameworks. Built for teams that have to move quickly.

Registered Data Controller DP000394 Infratel Tier III hosting FATF & BoZ AML/CFT aligned On-prem AI-powered
17
Compliance frameworks
15
Regulators wired
100+
Integrated modules
24/7
Sanctions sync
8
Industries served
Industries

One Platform for Every Industry

ERMAML automates each department’s compliance work while giving the board and the regulator a unified source of truth — regardless of your sector.

Banking

BoZ prudential returns, FIC AML filings, Basel III alignment, and continuous sanctions screening in one operational view.

Prudential

Manual capital-adequacy and large-exposure returns drift each quarter.
Pull live from the register, format to BoZ-mandated layouts, deliver on schedule.
94% effort reduction

AML / CFT

STR/CTR aggregated by hand across departments.
Real-time screening on a 1.5M sanctions corpus; STR auto-draft to goAML schema.
24/7 monitoring

IT & Cyber

Cyber Security Act CII obligations tracked in spreadsheets.
Incident-to-RCSA flow with tamper-evident audit chain.
Audit-ready

Operations

Loss events captured weeks late.
Live operational-loss register with category-level analytics.
Real-time

Risk

Heat maps refreshed quarterly.
Live residual-risk scoring with treatment-cost ZMW tracking.
Continuous

Internal Audit

Findings live in Word docs.
Finding-to-action with 4-eyes review and SLA-driven closure.
Maker-checker

CEO & Board View

One executive surface across every banking department — risk posture, compliance state, regulator deadlines.

85%
Manual effort cut
24/7
Live posture
100%
Audit traceable
Self-Assessment

How AML-Ready Is Your Institution?

Answer six quick questions to gauge your AML/CFT & compliance maturity. Takes 90 seconds.

Complete Suite

100+ Compliance Modules

Everything your compliance, risk and audit teams need — seamlessly integrated into one platform.

KYC & CDD

Onboarding workflows, risk-tier scoring, periodic re-screening.

Beneficial Ownership

UBO walk-through with thresholds and verification evidence.

Transaction Monitoring

7 default rules, ML scoring, suppression engine, alert lifecycle.

Alert Triage

Alert → case → STR with maker-checker disposition.

Customer 360

Single view of customer risk, transactions, screening and cases.

Anomaly Detection

Isolation-forest anomaly model on every txn at ingest.

Cash & Velocity

Structuring, velocity and threshold rules tunable in the UI.

Source-of-Funds

SoF tracking with evidence vault and dispositions.

Compliance

Complete Compliance Automation

From obligation to evidence to filing — one operating system for every framework you carry.

Live Obligation Register

Every framework you carry, mapped to the controls that satisfy it — with the deadline you owe the regulator.

Control ↔ Evidence Linkage

Auto-collected evidence stored, versioned and linked to the control test that consumes it. No more scavenger hunts before the audit.

Regulator-grade Reports

Filed in the format each regulator actually wants — BoZ returns, FIC STR/CTR, PIA solvency, NAPSA contributions.

FIA Act 2010 BoZ AML/CFT Directive BFSA Insurance Act 1997 (rev. 2021) PIA Regulations Cyber Security Act 2025 Data Protection Act 2021 FATF Recs ISO 31000 ISO 27001 NIST CSF COSO Basel III SOX GDPR-aligned
100%
Auto-evidence linkage
17
Frameworks wired
19
Filing cadences automated
4-eyes
Maker-checker on every decision
Implementation Timeline

Your Compliance Journey

How fast your institution can be audit-ready on ERMAML. Pick a size to see realistic timelines.

Estimated: 30 days to audit-ready

Map your data — core banking, KYC vendor, ledger, mobile-money switch — and wire read-only connectors.

  • Source-of-record audit
  • AML-RO database role
  • Watermark-based delta sync

Run a one-off back-load to populate risk tiers and PEP/sanctions baseline.

  • FIC PEP list import
  • Customer back-load
  • Tier baseline

Tune monitoring rules against historic data; calibrate false-positive rates.

  • 7 default rules
  • False-positive backtest
  • Rule UI per analyst

Collect existing control evidence and policies into the vault.

  • Policy + attestation
  • Control library mapping
  • Audit-log baseline

Switch on real-time sanctions and adverse-media screening.

  • Screening gate active
  • Case workflow live
  • STR-to-FIC ready

Train Compliance Officers, analysts and reviewers; sign off on SOPs.

  • LMS courses live
  • Maker-checker enforced
  • Attestation cycle

Walk-through with regulator artefacts; submit first filings.

  • First STR filed
  • First BoZ return filed
  • Audit-pack export
How It Works

From Setup to Optimized in 3 Phases

The arc every customer follows — from connecting data to closing the audit.

Connect Discover Assess Protect Monitor Certify
1

Discover & Assess

Connect your data sources, baseline risk and compliance posture, identify gaps.

  • Source-of-record audit + connectors
  • Customer back-load & risk-tier baseline
  • Gap analysis vs every framework wired
  • Heatmap on inherent & residual risk
  • Treatment cost in ZMW
2

Secure & Comply

Switch on monitoring, harden controls, train teams, file with regulators.

  • Real-time sanctions & PEP screening
  • Transaction-monitoring rules live
  • Case workflow with maker-checker
  • STR/CTR to goAML schema
  • BoZ / FIC / PIA / NAPSA returns
3

Optimize & Automate

Tune rules from feedback, surface KRI breaches, automate the predictable.

  • Continuous-learning ML retrain
  • KRI thresholds with auto-escalation
  • Filing calendar with SLA breach alerts
  • SLA on case closure with auto-escalation
  • Exec pack one-click
Why Automate?

Manual vs Automated Compliance

The real cost of running AML/CFT on spreadsheets — and what changes when the platform does the work.

Without ERMAML
  • Sanctions screening on the OFAC website, one customer at a time
  • KYC docs scattered across shared drives
  • Transaction reviews after month-end batch
  • STR drafted in Word; mis-keyed names
  • PEP lists refreshed quarterly, by hand
  • Risk scoring in a brittle Excel workbook
3,200+
Manual screening hours / year
With ERMAML
  • Real-time OpenSanctions + UN + OFAC + EU feeds
  • Document vault with auto-renewal alerts
  • Continuous rule engine with 4-eyes review
  • goAML-schema STR auto-draft from case data
  • Daily FIC PEP + adverse-media delta sync
  • Customer 360 with AI risk score
92%
Reduction in false-positive review effort
Client Success

Trusted by Leading Organizations

Compliance, risk and ICT leaders across the region run their day on Ontech — from board-level oversight to the daily filings that keep regulators satisfied.

Office of the Data Protection Commissioner registration certificate

Registered Data Controller

Office of the Data Protection Commissioner — certificate DP000394, issued under the Data Protection Act 2021.

Open full size
Ontech professional certificate of completion

Ontech Professional Certificate

Signed certificate of completion — on file as part of the operator’s due-diligence pack.

Open full size
INFRATEL data centre hosting confirmation letter

Tier III Data Centre Hosting

INFRATEL Corporation confirms the platform has been hosted in their Tier III facility since August 2020 — ISO/IEC 27001:2022, PCI DSS, Uptime Tier III. Letter signed by Eng. Zeko Mbumwae, CIO.

Open full size
Goodfellow Finance Goodfellow Finance
The platform is in live operational use and has performed reliably to our satisfaction. Ontech has demonstrated professional excellence, technical competence and a strong understanding of Zambia's AML/CFT regulatory framework.
IDC IDC
Ontech delivered our network infrastructure refresh end-to-end in 2023 — Cisco implementation, on schedule, with the technical depth we needed at every stage.
REA REA
Ontech built and rolled out our payment platform to spec. We'd engage them again for work in the same space without hesitation.
ZICTA ZICTA
Ontech delivered the 7070 short-code integration end-to-end — SMS and USSD live across all three mobile network operators. It has worked from the day we cut over.
GeePay GeePay
Bank of Zambia electronic-money guidelines are unforgiving. Ontech stood up the KYC, AML and risk-management layer that keeps us on the right side of every requirement.
MLSS MLSS
Ontech has been running our 7010 toll-free line since September 2023. The contact-centre operation has been steady and our public-facing channel has been there when citizens need it.
Akros Akros Research
We were pleased with Ontech's technical expertise comprising this work, as well as their project management capabilities and commitment to delivering high-quality solutions.
NATSAVE NATSAVE Bank
We have engaged Ontech as a strategic partner in the provision of ICT Digital Solutions such as Anti Money Laundering systems for the bank. They have a competent team of engineers who do outstanding work to our satisfaction.
Wired into the regulators you report to
Bank of Zambia FIC ZRA PIA NAPSA NHIMA ZEMA ACC PACRA ZICTA CCPC ERB SEC ZPPA WCFCB
Platform Security

Enterprise-Grade Security

The platform that holds your compliance evidence has to clear the bar it sets for everyone else.

AES-256
At-rest encryption
RBAC
+ Branch scoping
Tier III
Infratel hosting
Hash-chain
Tamper-evident audit

Data sovereignty

PostgreSQL on Infratel Tier III in Lusaka. PII column encryption. DPA-aligned retention & right-to-erasure.

  • Data Protection Act 2021
  • Fernet-encrypted secrets
  • In-country hosting (Lusaka)

Identity & access

Real RBAC with dynamic role/permission grants, per-user overrides, JWT auth and rate-limited login at the edge.

  • Superadmin > Admin > Branch Manager…
  • Branch-scoped data access
  • 4-eyes maker-checker

Audit & assurance

Hash-chained audit log over case events and screening logs — every decision, every policy change, every screening result.

  • Tamper-evident hash chain
  • Immutable evidence vault
  • One-click audit pack export
ISO/IEC 27001 aligned SOC 2 ready NIST CSF OWASP FATF Recs DPA 2021 CSA 2025
Monitoring

Real-Time Pipeline Health

If a sanctions sync stalls or a screening queue ages, you should know before the regulator does.

Sanctions sync

Freshness, last delta, indexed-record count.

Screening latency

Live p50 / p95 / p99 on the screening gate.

Alert queue age

Live aging buckets; breach-predicted alerts highlighted.

Elasticsearch

Cluster health, shard status, ingest rate.

Smart alerting

SLA-aware alerts that escalate as cases age past threshold.

Grafana dashboards

Drill into AML, ERM and ICT-side KPIs from one place.

Containerised

PgBouncer pooling + replica back-ends + ES multi-node config.

AI / ML

On-Prem AI Intelligence

Customer-risk scoring, compliance Q&A, anomaly detection — trained on your data, in your data centre.

Semantic search

Embedding search across policies, regulations, cases and STR archives — find the precedent fast.

Compliance chat

Q&A grounded in BoZ / FIC / PIA / ZICTA source documents. Cites the section, every time.

Customer risk scoring

Calibrated GBT classifier on customer + transaction features with continuous learning.

Anomaly detection

IsolationForest at the ingest path catches outliers in seconds, not weeks.

On-prem inference No data egress IsolationForest Gradient Boosting Sentence embeddings Continuous learning GDELT adverse media Graph analysis