AML Policy

1. Introduction

1.1 Purpose

The purpose of this Anti-Money Laundering and Counter-Terrorist Financing (AML/CTF) Policy is to establish the framework, principles, and controls adopted by the Company to prevent, detect, and mitigate the risks of money laundering, terrorist financing, and other forms of financial crime.

1.2 Commitment to Compliance

The Company is committed to conducting its operations in compliance with all applicable AML/CTF laws, regulations, regulatory guidance, and industry best practices. To support this commitment, all employees, officers, and relevant stakeholders must adhere to the requirements and procedures outlined in this Policy.

1.3 Risk Management Approach

The management of ML/TF risks forms an integral component of the Company's overall risk management framework. Given the nature and scale of the Company's activities, appropriate processes shall be implemented to identify, assess, monitor, and control financial crime risks on an ongoing basis.

1.4 Policy Compliance

The Company shall maintain effective controls and procedures designed to ensure continuous compliance with the requirements set out in this Policy and all relevant legal and regulatory obligations.

1.5 Outsourcing and Third-Party Arrangements

Where AML/CTF-related activities are performed by external service providers or other third parties, the Company shall ensure that such parties maintain standards and controls that are consistent with this Policy and all applicable legal requirements. Responsibility for compliance remains with the Company regardless of any outsourcing arrangements.

2. Risk Appetite Statement

2.1 Financial Crime Risk Tolerance

The Company maintains a zero-tolerance approach toward money laundering, terrorist financing, fraud, sanctions violations, and other forms of financial crime. The Company also does not tolerate deliberate attempts to circumvent its compliance controls, policies, or procedures.

While no financial services business can entirely eliminate exposure to ML/TF risks, the Company seeks to reduce such risks to the lowest reasonably achievable level through the implementation of robust preventative and detective controls.

2.2 Guiding Principles

In pursuing its AML/CTF objectives, the Company adheres to the following principles:

• Preventing the facilitation of money laundering, terrorist financing, fraud, and other financial crimes;
• Avoiding business relationships with individuals or entities reasonably suspected of engaging in unlawful, unethical, or high-risk activities;
• Protecting the Company from legal, regulatory, operational, and reputational risks that could adversely affect its business, stakeholders, or regulatory relationships;
• Declining or discontinuing activities, services, or business relationships where existing controls are insufficient to manage identified risks within the Company's risk tolerance levels;
• Conducting periodic enterprise-wide risk assessments to evaluate customer, product, geographic, and distribution channel risks and determine whether existing controls remain effective;
• Maintaining a comprehensive risk management framework designed to ensure that residual ML/TF risk remains within acceptable limits.

2.3 Management Accountability

Management at all levels is responsible for identifying and managing financial crime risks within their respective areas of responsibility. This includes implementing appropriate controls, monitoring their effectiveness, and ensuring that risk management considerations are embedded within daily business activities and decision-making processes.

3. Acceptable Customer Segments

3.1 Eligible Customer Types

The Company may provide its services to both individual and corporate customers, subject to successful completion of all applicable customer due diligence, screening, and risk assessment requirements.

3.2 Individual Customers

The Company accepts individual customers who satisfy the following minimum requirements:

• The individual must be at least eighteen (18) years of age;
• Customers below the age of eighteen (18) are not eligible to establish a business relationship with the Company;
• The maximum onboarding age shall generally be sixty (60) years for customers residing in Europe and seventy (70) years for customers residing in other approved jurisdictions, unless otherwise approved following an enhanced risk assessment.

3.3 Corporate Customers

The Company seeks to establish relationships only with legitimate and reputable businesses that demonstrate transparency in their ownership structure and business activities.

Prior to onboarding any legal entity, the Company shall conduct a comprehensive Know Your Business (KYB) review, which may include:

• Verification of corporate registration and constitutional documents;
• Identification and verification of directors, authorised representatives, and beneficial owners;
• Assessment of the nature and purpose of the business relationship;
• Independent verification of information through publicly available sources;
• Internet and reputational screening to identify potential adverse information;
• Discussions with the customer where necessary to obtain a clear understanding of the business model, ownership structure, source of funds, and expected transactional activity.

The Company reserves the right to reject any prospective customer that does not meet its risk acceptance criteria or where sufficient information cannot be obtained to satisfactorily complete due diligence procedures.

4. Responsible Persons

4.1 Governance Structure

The Company's AML/CTF framework shall be supported by clearly defined governance arrangements designed to ensure effective oversight, accountability, and regulatory compliance.

The following individuals and functions play key roles in the implementation and oversight of AML/CTF controls:

• Chief Executive Officer (CEO);
• Chief Operating Officer (COO);
• Designated Compliance Officer (DCO);
• Any other persons assigned AML/CTF responsibilities by management.

4.2 Responsibilities of the Chief Executive Officer

The Chief Executive Officer shall be responsible for providing strategic oversight of the Company's AML/CTF programme and shall:

• Approve the AML/CTF Policy and other key compliance documents;
• Review AML/CTF reports submitted by the DCO and provide direction where appropriate;
• Review and approve the methodology and results of the annual Enterprise-Wide Risk Assessment;
• Ensure adequate financial, technological, and human resources are allocated to support AML/CTF compliance activities;
• Receive updates regarding significant AML/CTF matters and emerging risks;
• Ensure AML/CTF issues are appropriately discussed and addressed at senior management level;
• Support a strong compliance culture throughout the organisation.

4.3 Responsibilities of the Chief Operating Officer / Designated Compliance Officer

The COO and/or DCO shall be responsible for the day-to-day management and administration of the Company's AML/CTF compliance programme.

Their responsibilities include, but are not limited to:

• Identifying, assessing, and managing compliance risks arising from applicable laws and regulatory requirements;
• Monitoring legislative and regulatory developments and ensuring the Company's policies and procedures remain current and effective;
• Developing and maintaining AML/CTF policies, procedures, and internal controls;
• Preparing and implementing annual compliance monitoring programmes;
• Monitoring the effectiveness of compliance controls and ensuring identified deficiencies are addressed promptly;
• Conducting investigations into suspected compliance breaches and implementing corrective actions where necessary;
• Providing guidance regarding compliance implications associated with new products, services, business initiatives, or material operational changes;
• Delivering or coordinating employee compliance training and awareness programmes;
• Reporting significant compliance matters, breaches, and emerging risks to senior management;
• Acting as the primary liaison with regulatory authorities and competent agencies, including responding to regulatory enquiries, inspections, and investigations;
• Supporting customer complaint handling processes where compliance-related concerns arise;
• Performing any additional duties assigned by senior management in relation to compliance oversight.

4.4 Additional Responsibilities

Specific AML/CTF responsibilities, reporting lines, and authority levels may be further detailed in other internal policies, procedures, job descriptions, or governance documents. Such documents shall complement and not replace the requirements established within this Policy.

5. Customer Identification

5.1 General Requirements

The Company shall establish and maintain procedures designed to identify and verify the identity of all customers prior to establishing a business relationship or conducting transactions where required by applicable law.

Customer identification procedures shall apply to both natural persons and legal entities.

5.2 Remote Verification

The Company conducts customer identification and verification through remote onboarding processes and does not generally rely on face-to-face verification procedures.

Appropriate technological solutions and verification measures shall be used to ensure the reliability, authenticity, and integrity of customer identification data collected during onboarding.

5.3 Identification Standards

The Company shall collect sufficient information and documentation to:

• Verify the customer's identity;
• Understand the purpose and intended nature of the business relationship;
• Identify and verify beneficial owners where applicable;
• Assess customer risk;
• Meet all applicable AML/CTF and regulatory requirements.

5.4 Detailed Procedures

Detailed customer identification, verification, and due diligence procedures are set out in Annex 1 of this Policy and shall be followed by all relevant personnel involved in customer onboarding and review activities.

6. Risk Assessment

6.1 Risk-Based Approach

The Company adopts a risk-based approach to the prevention and management of money laundering and terrorist financing risks. Risk assessments shall be performed to identify, evaluate, and mitigate risks arising from customers, products, services, delivery channels, and geographical exposure.

The objective of the risk assessment framework is to ensure that compliance resources and controls are proportionate to the level of risk identified.

6.2 Risk Categories

The Company recognises the following primary ML/TF risk categories:

a. Customer Risk

Risks associated with the characteristics, ownership structure, reputation, business activities, or behaviour of a customer.

b. Geographic Risk

Risks arising from countries or regions associated with higher levels of corruption, sanctions exposure, financial crime, political instability, or deficiencies in AML/CTF controls.

c. Product and Service Risk

Risks associated with specific products, services, or transaction types that may be vulnerable to misuse for money laundering, terrorist financing, or other illicit purposes.

d. Delivery Channel Risk

Risks arising from the methods through which customers access the Company's services, including non-face-to-face onboarding and digital channels.

6.3 Risk Classification

Customers shall be assigned to one of the following risk categories:

• Low Risk
• Medium Risk
• High Risk
• Prohibited / Unacceptable Risk

The assigned risk rating shall determine the level of due diligence, monitoring, and review requirements applicable to the customer.

6.4 Individual Customer Risk Assessment

A customer risk assessment shall be conducted:

• Prior to establishing a business relationship;
• When significant changes occur in the customer's profile, activities, ownership structure, or transaction behaviour;
• When concerns arise regarding the accuracy or completeness of previously collected information;
• When suspicious activity indicators or heightened ML/TF risks are identified.

The Company shall maintain documented procedures and systems that support the consistent assessment and categorisation of customer risk.

6.5 Enterprise-Wide Risk Assessment

The Company shall conduct an Enterprise-Wide Risk Assessment (EWRA) at least annually.

The assessment shall evaluate the effectiveness of existing AML/CTF controls and identify emerging risks associated with:

• Customer base;
• Products and services;
• Geographic exposure;
• Delivery channels;
• Regulatory developments;
• Operational changes.

The results of the EWRA shall be documented, reviewed by senior management, and used to determine whether additional controls or risk mitigation measures are required.

The DCO shall coordinate the preparation of the EWRA in accordance with the methodology approved by senior management.

7. Monitoring of Business Relationships

7.1 Ongoing Monitoring Requirements

The Company shall maintain ongoing monitoring procedures designed to ensure that customer activity remains consistent with the information collected during onboarding, the customer's risk profile, and the intended purpose of the business relationship.

Monitoring activities shall include both customer due diligence reviews and transaction monitoring measures.

7.2 Transaction Monitoring

The Company shall monitor transactions on an ongoing basis to identify:

• Unusual or suspicious activity;
• Transactions that exceed established thresholds;
• Activity inconsistent with the customer's known profile or expected behaviour;
• Indicators of potential money laundering, terrorist financing, fraud, sanctions evasion, or other financial crimes.

Monitoring may be conducted in real-time, retrospectively, or through a combination of both approaches.

7.3 Periodic Reviews

In addition to routine monitoring, periodic reviews may be performed on selected customer groups, including but not limited to:

• High-value customers;
• Customers operating in higher-risk jurisdictions;
• Customers exhibiting elevated transaction volumes;
• Other customer groups identified by Compliance.

The purpose of these reviews is to verify the effectiveness of monitoring controls and identify activity that may require further investigation.

7.4 Source of Funds Verification

The Company may request evidence of source of funds or source of wealth where necessary to understand the legitimacy of customer activity.

Such verification may be required in circumstances including:

• Customers classified as high risk;
• Customers subject to Enhanced Due Diligence (EDD);
• Customers exceeding transaction thresholds;
• Significant deviations from expected transaction behaviour;
• Businesses operating within higher-risk industries or sectors;
• Politically Exposed Persons (PEPs);
• Any other situation where additional verification is deemed necessary by Compliance.

7.5 Risk-Based Monitoring Framework

The Company shall apply monitoring controls proportionate to the customer's assessed risk level.

Monitoring parameters may take into account factors such as:

• Customer category;
• Transaction patterns;
• Payment methods;
• Geographic exposure;
• Business activities;
• Historical account behaviour;
• Wallet risk assessments and blockchain analytics.

7.6 Automated Monitoring Controls

Where appropriate, the Company shall utilise automated systems and technology solutions to support transaction monitoring activities.

These controls may include:

• Risk-based transaction thresholds;
• Behavioural analysis and alert generation;
• Virtual asset wallet screening and scoring;
• Blockchain analytics tools;
• Detection of unusual transaction patterns.

7.7 Third-Party Monitoring Providers

Where monitoring functions are outsourced or supported by third-party service providers, the Company shall ensure that:

• Appropriate due diligence is conducted prior to engagement;
• Service providers comply with applicable AML/CTF requirements;
• Monitoring scenarios and parameters remain aligned with the Company's internal policies;
• Oversight mechanisms are maintained to assess ongoing effectiveness and compliance.

8. Screening Against PEPs, Sanctions and Adverse Media

8.1 Screening Programme

The Company shall maintain screening procedures designed to identify customers, beneficial owners, authorised representatives, and other relevant parties who may present elevated financial crime risks.

Screening shall cover:

• Politically Exposed Persons (PEPs);
• International sanctions lists;
• Adverse media and negative news sources.

Automated screening solutions may be utilised where appropriate.

8.2 Timing of Screening

Screening shall be conducted:

• Prior to onboarding;
• Prior to establishing a business relationship;
• On an ongoing basis throughout the customer lifecycle;
• Whenever material changes occur in the customer's profile;
• Prior to executing transactions where required.

For virtual asset transactions, wallet screening may additionally be performed before and during transaction processing.

8.3 Persons Subject to Screening

Screening requirements may apply to:

• Customers;
• Beneficial owners;
• Directors and senior management;
• Authorised representatives;
• Other connected parties determined to be relevant by Compliance.

8.4 Minimum Screening Data

The following information shall be screened where available:

Individuals

• Full legal name;
• Date of birth;
• Nationality;
• Country of residence;
• Identification number.

Legal Entities

• Registered business name;
• Registration number;
• Country of incorporation;
• Registered address;
• Beneficial ownership information.

8.5 Positive Screening Results

Where screening identifies a potential match, the result shall be reviewed and investigated before a decision is made.

Politically Exposed Persons

Customers identified as PEPs may be accepted only after Enhanced Due Diligence procedures have been completed and approval has been obtained in accordance with internal requirements.

Sanctions Matches

Where a customer or related party is confirmed to be subject to applicable sanctions:

• The customer shall not be onboarded;
• Transactions shall not be processed;
• The matter shall be escalated immediately to Compliance;
• Any reporting obligations to regulators or competent authorities shall be fulfilled.

Adverse Media Findings

Adverse media results shall be assessed based on relevance, credibility, severity, and recency.

Compliance shall determine whether:

• The customer may be onboarded;
• Enhanced Due Diligence is required;
• Additional controls should be implemented;
• The customer relationship should be declined.

8.6 Record Retention

Evidence of screening activities, investigations, decisions, and approvals shall be retained in accordance with the Company's record-keeping requirements and made available upon request by regulators or competent authorities.

9. Implementation of the Travel Rule

9.1 Purpose

The Company shall comply with all applicable Travel Rule requirements governing virtual asset transfers and shall implement appropriate controls to ensure that required originator and beneficiary information accompanies eligible transactions.

The objective of these controls is to promote transparency, support regulatory compliance, and assist in the prevention and detection of money laundering, terrorist financing, sanctions evasion, and other financial crimes.

9.2 Information Required for Outgoing Transfers

Prior to executing a virtual asset transfer, the Company shall obtain, verify, and retain sufficient information relating to the originator and beneficiary of the transaction.

Originator Information

Where applicable, the following information shall be collected:

• Full legal name of the originator;
• Wallet address, account identifier, or other unique transaction reference;
• Customer account number, where available;
• Residential or business address, date and place of birth, identification number, or other legally required identifying information;
• Any additional information required under applicable laws or regulatory guidance.

Beneficiary Information

Where applicable, the following information shall be collected:

• Full legal name of the beneficiary;
• Wallet address, account identifier, or other unique transaction reference;
• Beneficiary account number where available;
• Any additional information required under applicable laws or regulatory requirements.

9.3 Verification Requirements

The Company shall not initiate or process an outgoing virtual asset transfer unless all required information has been obtained and verified to the extent required by law.

Where mandatory information is unavailable, incomplete, inconsistent, or cannot be reasonably verified, the transaction shall not proceed until the deficiency has been resolved.

9.4 Incoming Transfers

Prior to accepting incoming virtual asset transfers, the Company shall assess whether the transfer contains the required originator and beneficiary information.

Where deficiencies are identified, the Company may:

• Request additional information;
• Temporarily suspend processing;
• Reject the transfer;
• Escalate the matter for compliance review.

The action taken shall be proportionate to the risk presented and consistent with applicable legal requirements.

10. Ongoing Due Diligence and Customer Information Review

10.1 Ongoing Due Diligence

The Company shall conduct ongoing due diligence throughout the duration of each business relationship to ensure that customer information remains accurate, complete, and relevant.

The review process shall also support the identification of changes in customer risk profiles, ownership structures, business activities, or transaction patterns.

10.2 Review Frequency

Customer information shall be reviewed periodically according to the assigned risk classification:

Risk Rating	Review Frequency
Low Risk	Every 3 years
Medium Risk	Every 2 years
High Risk	Annually

The Company may conduct reviews more frequently where heightened risks are identified.

10.3 Scope of Review

Periodic reviews may include:

• Verification of customer identity information;
• Review of customer due diligence documentation;
• Confirmation of beneficial ownership information;
• Review of business activities and expected account usage;
• Assessment of transaction history;
• Review of sanctions, PEP, and adverse media screening results;
• Reassessment of customer risk ratings.

10.4 Document Validity

As part of the review process, the Company shall verify that identification documents remain valid and current.

Where documents have expired or become invalid, updated documentation shall be obtained before the review process is completed.

10.5 Risk Reassessment

Customer risk ratings shall be reassessed whenever:

• Significant changes occur in customer circumstances;
• New adverse information becomes available;
• Unusual or suspicious activity is detected;
• Regulatory requirements necessitate additional review.

Any changes to the customer's risk classification shall be documented and approved in accordance with internal procedures.

10.6 Record Maintenance

Information collected during ongoing due diligence reviews shall be documented and retained in the customer file together with evidence of review dates, decisions, and supporting assessments.

11. Reporting to FINTRAC

11.1 Reporting Obligations

The Company shall comply with all applicable reporting obligations relating to suspected money laundering, terrorist financing, sanctions breaches, and other financial crime concerns.

Reports shall be submitted to FINTRAC or any other competent authority in accordance with applicable legal and regulatory requirements.

11.2 Reportable Activities

The Company shall consider reporting where it knows, suspects, or has reasonable grounds to suspect that:

• A transaction is connected to criminal activity;
• Funds are derived from unlawful conduct;
• A transaction may facilitate money laundering or terrorist financing;
• A customer is attempting to conduct a suspicious transaction;
• Other circumstances exist that require reporting under applicable legislation.

11.3 Internal Escalation

Employees who identify suspicious activity shall promptly escalate their concerns to the Designated Compliance Officer.

The escalation should include all relevant information, supporting documentation, and observations necessary to facilitate an informed assessment.

11.4 Investigation Process

Upon receiving a suspicious activity referral, the DCO shall:

• Review all available information;
• Conduct additional enquiries where appropriate;
• Assess the customer's activity, behaviour, source of funds, and transactional patterns;
• Document findings and conclusions;
• Determine whether a regulatory report is required.

The Company is not required to establish that a criminal offence has occurred before filing a report. Reporting obligations arise where reasonable grounds for suspicion exist.

11.5 Filing of Suspicious Transaction Reports

Where suspicion is established, the Company shall submit the required report to FINTRAC as soon as reasonably practicable and within any applicable statutory deadlines.

The Company may also suspend, reject, or terminate transactions where permitted by law and where such action is necessary to mitigate risk.

11.6 Confidentiality and Tipping-Off Prohibition

All reports, investigations, regulatory communications, and related information shall be treated as strictly confidential.

Employees, officers, and representatives of the Company are prohibited from disclosing:

• That a suspicious transaction report has been filed or may be filed;
• That an investigation is underway;
• The nature of information provided to regulators;
• Any details that could prejudice an investigation.

This prohibition applies except where disclosure is expressly authorised by law.

11.7 Sanctions and Prohibited Persons

The Company shall not establish or maintain business relationships with persons or entities that are subject to applicable sanctions, prohibited under applicable law, or otherwise fall outside the Company's risk acceptance criteria.

Appropriate screening and verification measures shall be completed before onboarding any customer.

11.8 Documentation Requirements

The Compliance function shall maintain records of:

• Internal suspicious activity referrals;
• Investigations conducted;
• Decisions made;
• Reports filed with authorities;
• Supporting evidence and correspondence.

All records shall be retained in accordance with the Company's record retention requirements and applicable legal obligations.

12. Termination of Transactions and Business Relationships

12.1 General Principles

The Company reserves the right to refuse, suspend, restrict, or terminate transactions and business relationships where AML/CTF concerns arise or where the customer fails to satisfy the Company's compliance requirements.

Such actions may be taken to ensure compliance with applicable laws, regulatory obligations, internal policies, and risk management standards.

12.2 Failure to Provide Information

Where a customer refuses, delays, or fails to provide information, documentation, or explanations reasonably requested by the Company, the Company may:

• Decline to process a transaction;
• Suspend pending transactions;
• Restrict account functionality;
• Refuse onboarding;
• Terminate the business relationship.

The decision shall take into account the significance of the missing information, the associated risk, and any explanations provided by the customer.

12.3 Circumstances Requiring Refusal or Termination

The Company shall not establish or maintain a business relationship where the customer:

• Fails to complete customer identification or verification requirements;
• Provides false, misleading, incomplete, or inconsistent information;
• Refuses to provide information required for customer due diligence purposes;
• Is subject to applicable sanctions or prohibitions;
• Falls outside the Company's approved risk appetite;
• Requests anonymous services or otherwise seeks to circumvent regulatory requirements;
• Is reasonably suspected of involvement in money laundering, terrorist financing, fraud, sanctions evasion, or other financial crimes.

12.4 Suspicious Activity Cases

Where suspicious activity has been identified, the Company may suspend or terminate the relationship in accordance with legal and regulatory requirements.

Any required reporting obligations shall be fulfilled before, during, or following termination as appropriate.

The Company shall ensure that any action taken does not result in unlawful tipping-off or interference with regulatory investigations.

12.5 Customer-Initiated Termination

Customers may terminate their relationship with the Company in accordance with the applicable Terms and Conditions and any legal requirements.

The Company may request completion of certain administrative or compliance procedures before final closure of the account or relationship.

12.6 Company-Initiated Termination

The Company may terminate a business relationship without prior notice where:

• Legal or regulatory requirements mandate termination;
• Financial crime risks are considered unacceptable;
• Continued service would expose the Company to excessive legal, regulatory, operational, or reputational risk;
• The customer breaches contractual obligations relating to compliance requirements.

Where legally permissible, customers shall be informed of the termination decision through appropriate communication channels.

13. Record Keeping and Data Retention

13.1 Record Retention Framework

The Company shall maintain complete, accurate, and accessible records relating to AML/CTF compliance activities.

Records shall be retained in a manner that enables the Company to demonstrate compliance with regulatory obligations and support investigations conducted by competent authorities.

13.2 Compliance Registers and Logs

The Company shall maintain, at a minimum, records relating to:

• Suspicious transaction reports and related investigations;
• Rejected or terminated customer relationships arising from AML/CTF concerns;
• Compliance reviews and monitoring activities;
• Customer risk assessments;
• Regulatory correspondence and requests;
• Employee training records.

Additional registers may be maintained where necessary to support the Company's compliance framework.

13.3 Data Recording Requirements

Relevant records shall be entered into applicable systems and registers promptly following the occurrence of the relevant event, investigation, transaction, or decision.

All records should be sufficiently detailed to allow an independent reviewer to understand:

• What occurred;
• Why decisions were made;
• Who approved the decision;
• What supporting evidence was considered.

13.4 Customer Due Diligence Records

The Company shall retain records relating to:

• Customer identification and verification;
• Beneficial ownership information;
• Risk assessments;
• Source of funds and source of wealth documentation;
• Customer communications relevant to AML/CTF matters;
• Ongoing due diligence activities.

13.5 Transaction Records

The Company shall maintain records relating to:

• Transactions processed;
• Wallet information where applicable;
• Payment instructions;
• Supporting documentation;
• Monitoring alerts and investigations.

13.6 Retention Periods

Records shall be retained for the minimum period required by applicable law and regulatory requirements.

Where multiple retention periods apply, the Company shall apply the longer period unless otherwise directed by a competent authority.

The Company may extend retention periods where:

• Required by law;
• Requested by a regulator or law enforcement agency;
• Necessary to support ongoing investigations, litigation, audits, or regulatory proceedings.

13.7 Storage and Accessibility

Records shall be maintained in secure systems with appropriate safeguards to protect confidentiality, integrity, and availability.

The Company shall ensure that records can be retrieved promptly upon request by authorised personnel, regulators, auditors, or law enforcement agencies.

14. Employee Training

14.1 Training Programme

The Company shall establish and maintain an AML/CTF training programme designed to ensure that employees understand their responsibilities and are able to effectively identify and manage financial crime risks.

The training programme shall be appropriate to the employee's role, responsibilities, and level of exposure to AML/CTF risks.

14.2 Training Objectives

Training shall seek to ensure that employees:

• Understand applicable AML/CTF laws and regulations;
• Recognise indicators of suspicious activity;
• Understand customer due diligence requirements;
• Understand sanctions, PEP, and adverse media obligations;
• Know how to escalate concerns internally;
• Understand the prohibition against tipping-off;
• Remain aware of emerging financial crime risks.

14.3 Frequency of Training

All relevant employees shall receive AML/CTF training at least annually.

Additional training may be provided where:

• Regulatory changes occur;
• New products or services are introduced;
• Emerging risks are identified;
• Internal control weaknesses are detected.

14.4 New Employee Training

Employees shall complete AML/CTF training before undertaking duties that involve customer interaction, onboarding, transaction monitoring, or compliance-related activities.

Appropriate records of completed training shall be maintained.

14.5 Training Records

The Company shall maintain records demonstrating:

• Training dates;
• Training content;
• Attendees;
• Assessment results where applicable;
• Certificates or evidence of completion.

15. Final Provisions

15.1 Independent Review and Audit

The Company shall conduct periodic independent reviews or audits of its AML/CTF programme to assess the effectiveness of controls, policies, procedures, and governance arrangements.

Findings shall be reported to senior management together with recommendations for remediation where necessary.

15.2 Policy Approval

This Policy shall become effective upon approval by the Board of Directors or authorised governing body.

The Policy shall remain in force until amended, replaced, or withdrawn in accordance with the Company's governance procedures.

15.3 Policy Review

The Policy shall be reviewed at least annually and more frequently where required due to:

• Legislative or regulatory developments;
• Changes in the Company's business activities;
• Emerging ML/TF risks;
• Audit findings;
• Regulatory feedback or enforcement actions;
• Material operational changes.

Any amendments shall be approved through the Company's established governance process.

15.4 Employee Acknowledgement

Employees whose responsibilities are affected by this Policy shall be provided access to the Policy and any subsequent updates.

The Company shall maintain evidence that relevant personnel have reviewed and acknowledged their obligations under the Policy.

15.5 Competence and Fitness Requirements

The Company shall ensure that individuals responsible for AML/CTF compliance possess the necessary qualifications, experience, integrity, and competence to perform their duties effectively.

Assessments may include review of:

• Professional qualifications;
• Relevant industry experience;
• Regulatory knowledge;
• Employment history;
• Other factors relevant to suitability and fitness.

15.6 Senior Management and Ownership Standards

Individuals serving in senior management positions or exercising ownership or control over the Company must satisfy applicable fit-and-proper requirements.

The Company shall take reasonable steps to ensure that such individuals maintain appropriate standards of integrity, competence, and reputation consistent with regulatory expectations.

15.7 Regulatory Cooperation

The Company shall cooperate fully with regulators, law enforcement agencies, and other competent authorities in matters relating to AML/CTF compliance, investigations, inspections, and reporting obligations.

All requests for information shall be handled promptly, accurately, and in accordance with applicable legal requirements.

Annex 1 — Customer Identification and Verification Procedure

1. Purpose

This Procedure establishes the requirements and standards for identifying and verifying customers prior to the establishment of a business relationship and throughout the customer lifecycle.

The objective of the Procedure is to ensure compliance with applicable AML/CTF requirements and to enable the Company to understand the identity, ownership structure, nature of activities, and risk profile of its customers.

2. General Principles

The Company shall not establish a business relationship, execute a transaction, or provide services until the required customer due diligence measures have been completed.

Customer identification and verification procedures shall be risk-based and proportionate to the nature of the customer, products and services used, geographic exposure, and overall ML/TF risk.

The Company may refuse onboarding where sufficient information cannot be obtained to satisfy identification and verification requirements.

3. Customer Due Diligence Requirements

Customer Due Diligence ("CDD") shall include, where applicable:

• Identification and verification of the customer;
• Identification and verification of beneficial owners;
• Identification of authorised representatives;
• Understanding the purpose and intended nature of the business relationship;
• Assessment of source of funds and source of wealth where required;
• Risk assessment and customer classification;
• Screening against sanctions, PEP, and adverse media databases.

4. Individual Customers

4.1 Information to be Collected

At a minimum, the following information shall be obtained from individual customers:

• Full legal name;
• Date of birth;
• Nationality;
• Residential address;
• Contact information;
• Government-issued identification details;
• Occupation or source of income, where required.

4.2 Identity Verification

Identity verification may be conducted using:

• Passport;
• National identity card;
• Driver's licence;
• Residence permit;
• Other government-issued identification accepted by the Company.

The Company may utilise electronic verification tools, biometric verification technology, liveness checks, document authentication solutions, or other approved methods.

4.3 Additional Verification

Additional documentation may be requested where:

• Customer information cannot be independently verified;
• Elevated risk indicators are identified;
• Enhanced Due Diligence measures apply;
• Regulatory requirements necessitate additional verification.

5. Legal Entity Customers

5.1 Corporate Information

The following information shall generally be obtained:

• Legal name of the entity;
• Registration number;
• Date of incorporation;
• Registered office address;
• Principal place of business;
• Nature of business activities;
• Ownership structure.

5.2 Verification Documents

Verification may include review of:

• Certificate of incorporation;
• Business registration certificates;
• Constitutional documents;
• Shareholder registers;
• Corporate resolutions;
• Regulatory licences where applicable.

5.3 Directors and Authorised Representatives

The identity of directors, authorised signatories, and other representatives acting on behalf of the entity shall be verified.

Evidence of authority to act on behalf of the entity shall also be obtained.

6. Beneficial Ownership

The Company shall identify and verify the ultimate beneficial owner(s) of legal entities.

Reasonable measures shall be taken to understand ownership and control structures.

Where ownership structures are complex, additional supporting documentation may be requested.

Where beneficial ownership cannot be satisfactorily established, the Company may refuse onboarding or terminate the relationship.

7. Customer Risk Assessment

A customer risk assessment shall be conducted prior to onboarding.

Risk factors may include:

• Customer type;
• Industry sector;
• Geographic exposure;
• Products and services utilised;
• Transaction expectations;
• Ownership complexity;
• Regulatory status;
• PEP exposure;
• Adverse media findings.

Customers shall be classified according to the Company's risk rating methodology.

8. Enhanced Due Diligence

Enhanced Due Diligence ("EDD") shall be applied where higher ML/TF risks are identified.

EDD measures may include:

• Collection of additional identification documents;
• Verification of source of funds;
• Verification of source of wealth;
• Senior management approval;
• Enhanced transaction monitoring;
• More frequent customer reviews.

EDD shall generally be applied to:

• High-risk customers;
• Politically Exposed Persons;
• Customers from higher-risk jurisdictions;
• High-risk industries;
• Customers exhibiting unusual transaction behaviour.

9. Source of Funds

The Company may request evidence demonstrating the legitimate origin of funds used in transactions.

Examples may include:

• Employment income records;
• Bank statements;
• Investment statements;
• Sale agreements;
• Inheritance documentation;
• Tax records;
• Corporate financial statements;
• Other supporting evidence deemed acceptable by Compliance.

10. Source of Wealth

Where required, customers may be requested to demonstrate how their overall wealth was accumulated.

Evidence may include:

• Business ownership documentation;
• Financial statements;
• Property ownership records;
• Investment portfolios;
• Inheritance records;
• Tax documentation;
• Other credible supporting evidence.

11. Ongoing Due Diligence

Customer information shall be reviewed and updated periodically in accordance with the customer's risk rating.

Additional reviews may be triggered by:

• Material changes in customer information;
• Significant transaction activity;
• Adverse media findings;
• Regulatory developments;
• Compliance concerns.

12. Record Retention

All information obtained during customer identification and verification shall be retained in accordance with the Company's Record Keeping and Data Retention Policy.

Records must be maintained in a manner that enables retrieval upon request by authorised personnel, auditors, regulators, or law enforcement authorities.

Annex 2 — Criteria for Identifying Suspicious Operations or Transactions

1. Purpose

The purpose of this Annex is to establish guidance for identifying transactions, activities, behaviours, and circumstances that may indicate money laundering, terrorist financing, fraud, sanctions evasion, or other forms of financial crime.

The indicators listed in this Annex are intended to assist employees and Compliance personnel in recognising potentially suspicious activity and determining when further review, investigation, escalation, or reporting may be required.

The presence of one or more indicators does not automatically mean that criminal activity has occurred. Each case shall be assessed based on the customer's profile, expected activity, supporting documentation, and surrounding circumstances.

2. General Principles

The Company shall adopt a risk-based approach when assessing suspicious activity indicators.

Employees are expected to exercise professional judgment and consider:

• The customer's known profile;
• Historical transaction behaviour;
• Source of funds and source of wealth information;
• Geographic exposure;
• Nature of products and services utilised;
• Information obtained during customer due diligence;
• Results of transaction monitoring and screening activities.

Where concerns remain after reasonable review, the matter shall be escalated to Compliance without delay.

3. Customer Behaviour Indicators

Potentially suspicious behaviour may include, but is not limited to:

• Reluctance or refusal to provide requested identification or supporting documentation;
• Providing information that is inconsistent, incomplete, misleading, or difficult to verify;
• Attempts to avoid customer due diligence procedures;
• Frequent changes in information without reasonable explanation;
• Use of multiple accounts, entities, or intermediaries without a clear business purpose;
• Unusual secrecy regarding ownership, source of funds, or intended transactions;
• Unwillingness to explain the purpose of transactions;
• Behaviour suggesting that the customer is acting on behalf of an undisclosed third party;
• Attempts to pressure employees into bypassing controls or accelerating approvals.

4. Transaction-Related Indicators

Transactions may warrant further review where they:

• Are inconsistent with the customer's known profile or expected activity;
• Lack an apparent economic, commercial, or lawful purpose;
• Involve unusually large amounts relative to the customer's known financial position;
• Occur in volumes or frequencies that differ significantly from historical patterns;
• Appear structured to avoid regulatory thresholds or monitoring controls;
• Involve rapid movement of funds through multiple accounts or wallets;
• Demonstrate layering or other characteristics commonly associated with money laundering;
• Are repeatedly cancelled, reversed, or re-submitted without reasonable explanation;
• Involve unexplained third-party payments or receipts.

5. Virtual Asset and Crypto-Asset Indicators

The following may indicate elevated ML/TF risk involving virtual assets:

• Transfers involving high-risk wallets identified through blockchain analytics tools;
• Transactions linked to darknet marketplaces, ransomware activities, fraud schemes, or sanctioned entities;
• Use of mixing services, tumblers, privacy-enhancing protocols, or anonymity tools designed to obscure transaction origins;
• Multiple transfers designed to conceal beneficial ownership or transaction history;
• Significant transaction activity inconsistent with the customer's stated purpose for using virtual assets;
• Transfers involving jurisdictions known for weak AML/CTF controls;
• Frequent movement of assets between multiple exchanges without a clear commercial purpose;
• Attempts to circumvent Travel Rule requirements.

6. Geographic Risk Indicators

Additional scrutiny may be required where transactions involve:

• Jurisdictions subject to international sanctions or embargoes;
• Countries identified as having significant deficiencies in AML/CTF controls;
• Jurisdictions associated with high levels of corruption, organised crime, terrorist activity, or financial secrecy;
• Countries identified by reputable international organisations as presenting elevated financial crime risks;
• Frequent transfers between unrelated parties located in multiple high-risk jurisdictions.

7. Legal Entity and Corporate Indicators

Potential red flags relating to corporate customers include:

• Complex ownership structures with no apparent commercial rationale;
• Use of nominee shareholders or directors without adequate explanation;
• Difficulty identifying ultimate beneficial owners;
• Frequent changes in ownership, directors, or control structures;
• Companies with limited business presence but significant transaction volumes;
• Inconsistencies between stated business activities and actual transaction behaviour;
• Newly incorporated entities engaging in unusually large transactions shortly after establishment;
• Shell company characteristics or lack of identifiable business operations.

8. Source of Funds and Source of Wealth Indicators

Enhanced review may be required where:

• Source of funds cannot be satisfactorily explained;
• Supporting documentation appears altered, incomplete, or unreliable;
• Wealth accumulation appears inconsistent with known employment, business activities, or financial position;
• Funds originate from unrelated third parties without reasonable explanation;
• Customer explanations are inconsistent with available evidence;
• Significant funds are received from high-risk sectors or jurisdictions.

9. Sanctions, PEP, and Adverse Media Indicators

Potential concerns may arise where:

• A customer or related party appears on sanctions lists;
• A customer is identified as a Politically Exposed Person and risk factors remain unresolved;
• Adverse media links the customer to corruption, fraud, organised crime, financial crime, or regulatory misconduct;
• The customer is associated with sanctioned individuals or entities;
• The customer attempts to conceal relationships with politically exposed or sanctioned persons.

10. Internal Escalation Requirements

Employees who identify suspicious activity indicators shall promptly notify the Designated Compliance Officer and provide all relevant supporting information.

Employees are not responsible for determining whether a Suspicious Transaction Report should be filed. Their responsibility is to identify, document, and escalate concerns appropriately.

11. Compliance Review

Upon receipt of an escalation, Compliance shall:

• Review available customer and transaction information;
• Conduct additional enquiries where necessary;
• Evaluate the level of suspicion and associated risk;
• Document findings and conclusions;
• Determine whether regulatory reporting obligations arise;
• Recommend appropriate risk mitigation measures.

12. Reporting Obligations

Where Compliance determines that reasonable grounds for suspicion exist, the Company shall submit the required report to FINTRAC or the relevant competent authority in accordance with applicable legal and regulatory requirements.