1.INTRODUCTION

PAYCOTCOM SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ (hereinafter the “Company”) is a limited liability company registered in Poland with:

• Registration number: 0001025475
• Registered address: ul. Władysława Reymonta 15/1, 60-791 Poznań, POLAND

The Company provides services of buying and selling of cryptocurrency for fiat currency, exclusively via its website paycot.com. Such activity is classified as exchange between virtual currencies and means of payment according to Article 2 item 1 of the Act on Combating Money Laundering and the Financing of Terrorism of Poland (hereinafter in the text – the “Act”), thus making the Company an obliged entity.

The Company is supervised by the General Inspector of Financial Information (the GIFI). The GIFI is supported in realization of the tasks by the Department of Financial Information of the Ministry of Finance, which acts as the Polish Financial Intelligence Unit (hereinafter in the text – the “FIU”).

The Company is registered in the Virtual Currency Activity Register (Rejestr działalności w zakresie walut wirtualnych) under No. RDWW-359 as per requirements of the Act.

100% of the Company’s Customers are natural (physical) persons who transact with the Company either as buyer or seller. The Company’s customers cannot transact with each other.

The purpose of this Anti-Money Laundering and Counter-Terrorist Policy (hereinafter, the “AML Policy”) is to lay down the Company’s internal practices, measures, procedures and controls relevant to the prevention of Money Laundering and Terrorist Financing (hereinafter, the “AML”).

The AML Policy is drafted and periodically updated by the Company’s Compliance Officer (hereinafter, the “Compliance Officer”), based on the general principles set up by the Company’s Board of directors (hereinafter, the “Board”) and Senior management in relation to the AML.

This AML Policy is primarily based on the:

• The Act;
• Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, and amending Directives 2009/138/EC and 2013/36/EU.

The Board undertakes to ensure that both the Company’s members and employees comply with the requirements set out in both this AML Policy and the Act and provides continuous training on the topics addressed in the AML Policy.

The AML Policy applies to all Company’s Customers, irrespective of the Customer’s frequency and size of transactions.

In this respect, the Compliance Officer shall be responsible to update the AML Policy so as to comply with the relevant Money Laundering and Terrorist Financing laws (hereinafter, the “AML Laws”) and future requirements, as applicable, regarding the Customer identification and due diligence procedures which the Company must follow.

Criminals particularly target financial services firms through which they attempt to launder their funds from criminal actions in order to clear their criminal funds, and the most challenging is that their intention is to do such clearing without the firms' knowledge or suspicion.

Therefore, the European Union has passed Directives designed to combat money laundering and terrorism financing. These Directives, together with regulations, rules and industry guidance, form the cornerstone of the Company's AML obligations and outline the offences and penalties for failing to comply with.

The Company has implemented systems and procedures that meet the standards set forth by the European Union for AML purposes. These systems and procedures reflect the senior management's desire to prevent money laundering and not be used by criminals to launder proceeds of crime.

2. DEFINITIONS

For the purpose of this AML Policy, the following definitions apply:

• “Beneficial owner” is intended with the meaning of Article 2 item 2 point 1) of the Act;
• “Business relationship” is intended with the meaning of Article 2 item 2 point 20) of the Act;
• "Beneficial Ownership Structure" refers to the arrangement identifying individuals who ultimately own or control a legal entity, directly or indirectly, through ownership or other means. This includes individuals with at least 25% ownership or voting rights, or control through other means, as per Article 2, item 2, point 1) of the Act.
• “Customer” is intended with the meaning of Article 2 item 2 point 10) of the Act, further specification as prescribed by the AML Policy;
• “Family member” is intended with the meaning of Article 2 item 2 point 3) of the Act;
• “High-risk third country” is intended with the meaning of Article 2 item 2 point 13) of the Act;
• "Legal Entity" refers to any incorporated organization, company, or partnership that has legal standing to enter into transactions with the meaning of a legal person as described in Article 2, item 2, point 4) of the Act;
• “Money laundering” is intended with the meaning of an act referred to in Article 299 of the Act of 6 June 1997 – The Criminal Code of Poland.
• “Politically exposed person” is intended with the meaning of Article 2 item 2 point 11) of the Act;
• “Risk assessment” is intended with the meaning of Article 27 of the Act;
• “Senior management [of obliged entity]” is intended with the meaning of Article 2 item 2 point 9) of the Act;
• “Terrorist financing” is intended with the meaning of an act referred to in Article 165a of the Act of 6 June 1997 - Penal Code of Poland (Journal of 2017 item 2204 and of 2018 items 20, 305 and 663);
• “Transaction” is intended with the meaning of Article 2 item 2 point 21) of the Act;
• “Virtual currency” is intended with the meaning of Article 2 item 2 point 26) of the Act, further specification as prescribed by the AML Policy;

3.2. COMPLIANCE OFFICER

The Company ensures that only a person who has the education, professional suitability, the abilities, personal qualities, experience, and impeccable reputation required for the performance of the duties of a compliance officer may be appointed as a Compliance Officer.

Where, as a result of internal or external checks, it becomes evident that the person's reliability is under suspicion due to their past acts or omissions, the person's reputation cannot be considered impeccable, and the Company may extraordinarily terminate the Compliance Officer's employment agreement due to the loss of confidence.

The Compliance Officer reports directly to the Board and has the competence, means, and access to relevant information across all the units of the company for the purpose of performing his/her duties.

The Compliance Officer, inter alia:

1. Reviews this AML Policy and updates it periodically as may be necessary;

2. Monitors and assesses the correct and effective implementation of this AML Policy, the practices, measures, procedures, and controls and in general the implementation of the AML Policy;

3. Ensures the implementation of this AML Policy throughout the Company;

4. In the event that the Compliance Officer identifies shortcomings and/or weaknesses in the application of the required practices, measures, procedures and controls, gives appropriate guidance for corrective measures and where deems necessary informs the Board;

5. Receives information from the Company's employees which is considered to be knowledge or suspicion of money laundering or terrorist financing activities or might be related to such activities and takes further actions as per the AML Policy;

6. Organises the collection and analysis of information referring to unusual transactions or transactions or circumstances suspected of money laundering or terrorist financing, which have become evident in the activities of the Company;

7. Reports to the FIU in the event of suspicion of money laundering or terrorist financing;

8. Submits to the Board written statements on compliance with the requirements arising from the relevant Laws periodically;

9. Ensures the preparation and maintenance of the lists of Customers categorised, following a risk-based approach. The list contains, among others, the names of Customers, their account number and the dates of the commencement of the Business Relationship. Moreover, the Compliance Officer ensures that the said list is timely updated with all new or existing Customers, in light of any additional information obtained;

10. Performs other duties and obligations related to compliance with the requirements stipulated below;

11. Evaluates the systems and procedures applied by a third person on whom the Company may rely for Customer identification and due diligence purposes, according to the AML Policy, and approves the cooperation with it;

12. Ensures that the branches and subsidiaries of the Company, if any, that operate in countries outside the EEA, have taken all necessary measures for achieving full compliance with the provisions of the AML Policy, in relation to Customer identification, due diligence, and record-keeping procedures.

The Compliance Officer has the right to:

1. Make proposals to the Board for amendment and modification of the rules of procedure containing AML requirements and organisation of employees' appropriate training;

2. Demand that the departments of the Company eliminate within a reasonable time the deficiencies identified in the implementation of the AML requirements;

3. Receive data and information required for the performance of the duties of a compliance officer;

4. Make proposals for the organisation of the process of submission of notifications of suspicious and unusual transactions;

5. Receive training in the field.

Where no Compliance Officer has been appointed, the duties of a Compliance Officer are performed by the member of the Board in charge of implementing the Act and legislation and guidelines adopted on the basis thereof.

3.3. RISK-BASED APPROACH

The Company takes security measures and has adopted policies, practices and procedures that promote high ethical and professional standards and prevent the Company from being used, intentionally or unintentionally, by criminals.

The Company applies appropriate measures and procedures, by adopting a risk-based approach, so as to focus its effort in those areas where the risk of Money Laundering and Terrorist Financing appears to be comparatively higher.

In this aspect the measures are being considered with a risk-based approach to ensure that the risk of money laundering and terrorist financing is appropriately considered and managed in the course of daily activities.

The risk-based approach adopted by the Company, and described in the AML Policy, involves specific measures and procedures in assessing the most cost-effective and appropriate way to identify and manage the Money Laundering and Terrorist Financing risks faced by the Company.

The Company puts in place Know Your Customer (hereinafter, “KYC”) mechanisms as an essential element for providing its services, risk management and control. Such mechanisms include:

• Customer acceptance policy;
• Customer identification policy - identifying and assessing the Money Laundering and Terrorist Financing risks emanating from particular Customers or types of Customers, financial instruments, services, and geographical areas of operation of its Customers;
• Ongoing monitoring of high-risk Customers - continuous monitoring and improvements in the effective operation of the policies, procedures and controls;
• Risk management mechanism - managing and mitigating the assessed risks by the appropriate and effective measures, procedures and controls;
• Categorisation of Customers on a risk basis.

The adopted risk-based approach that is followed by the Company, and described in the AML Policy, has the following general characteristics:

1. Recognises that the money laundering or terrorist financing threat varies across Customers and depends on different indicators:
   1. a. Countries of origin,
   2. b. Transaction origin - the country of origin and destination of Customers' funds,
   3. c. Investment purposes and nature of business transactions,
   4. d. The nature (e.g. non-face-to-face) and economic profile of Customers as well as of financial instruments and services offered, and
   5. e. The volume and size of transactions
2. Allows the Board to differentiate between Customers in a way that matches the risk of their particular business;
3. Allows the Board to apply its own approach in the formulation of policies, procedures and controls in response to the Company's particular circumstances and characteristics;
4. Helps to produce a more cost-effective system;
5. Promotes the prioritisation of effort and actions of the Company in response to the likelihood of Money Laundering and Terrorist Financing occurring through the use of the Services. The intensity of KYC programs beyond these essential elements is tailored to the degree of risk.

3.4. Segregation of Duties

To ensure robust internal controls and mitigate risks related to Money Laundering and Terrorist Financing, the Company implements a segregation of duties framework across all relevant operational and compliance functions. Segregation of duties is essential to prevent any single individual from having undue control over critical processes, and to reduce the risk of errors, misuse, or fraudulent activities. Accordingly, the responsibilities for customer onboarding, transaction approval, transaction monitoring, investigation of suspicious activities, and reporting to the Financial Intelligence Unit (FIU) are distributed among different employees or departments. The Compliance Officer operates independently from business-generating functions and is granted unrestricted access to all data and systems necessary to perform AML oversight duties. Periodic audits and reviews are conducted to ensure the effectiveness of this segregation, with adjustments made as necessary to adapt to organizational or regulatory changes. The Company also enforces role-based access controls to ensure that employees can access only the information required for their duties. This structured separation supports accountability, enhances compliance integrity, and aligns with regulatory expectations under the Act and applicable EU directives.

4. RISK-MANAGEMENT FRAMEWORK

4.1. IDENTIFICATION OF RISKS

The risk-based approach adopted by the Company involves the identification, recording and evaluation of the risks that have to be managed.

The Company shall assess and evaluate the risks it faces, for the use of the Services for the purpose of Money Laundering or Terrorist Financing. The particular circumstances of the Company determine suitable procedures and measures that need to be applied to counter and manage risk.

The Company shall be, at all times, in a position to demonstrate that the extent of measures and control procedures it applies are proportionate to the risk it faces for the provision of the Services, for the purpose of Money Laundering and Terrorist Financing.

For the purpose of identification, assessment and analysis of risks of money laundering and terrorist financing related to their activities, the Company prepares a risk assessment, taking account of at least the following risk categories:

• risks relating to customers nature;
• risks relating to countries, geographic areas or jurisdictions;
• risks relating to products, services or transactions;
• risk relating to communication, mediation or products, services, transactions or delivery channels between the obliged entity and customers.

The steps taken to identify, assess and analyze risks must be proportionate to the nature, size and level of complexity of the economic and professional activities of the Company.

As a result of the risk assessment, the Company established:

• fields of a lower, normal and higher risk of money laundering and terrorist financing;
• the risk appetite and services provided in the course of business activities; and
• the risk management model, including enhanced due diligence measures, in order to mitigate identified risks.

The following, inter alia, are sources of risks which the Company faces with respect to Money Laundering and Terrorist Financing:

1. 1. Risks based on the Customer's nature:
• a. complexity of ownership structure of legal persons belonging to the Customer;
• b. PEPs;
• c. Customers from high risk countries or countries known for high level of corruption or organised crime or drug trafficking;
2. 2. Risks based on the Customer's behaviour:
• a. situations where the origin of wealth and/or source of funds cannot be easily verified;
• b. unwillingness of Customers to provide information on the Beneficial Owners of a legal person;
3. 3. Risks based on the Company's services:
• a. services that allow payments or transfers to third persons/parties;

4.2. MEASURES AND PROCEDURES TO MANAGE AND MITIGATE THE RISKS

Taking into consideration the assessed risks, the Company determines the type and extent of measures it will adopt in order to manage and mitigate the identified risks in a cost-effective manner. These measures and procedures include:

• adoption of rules of procedure that allow for effective mitigation and management of, inter alia, risks relating to money laundering and terrorist financing the Customer Due Diligence Procedures in respect of Customers in line with their risk profile;
• Money Laundering and Terrorist Financing risk;
• Requiring the quality and extent of required identification data for each type of Customer to be of a certain standard (e.g. documents from independent and reliable sources, third person information, further information and documentary evidence, etc.);
• Obtaining additional data and information from the Customers, where this is appropriate for the Proper and complete understanding of their activities and source of wealth and for the effective management of any increased risk;
• ● Proper and complete understanding of their activities and source of wealth and for the effective management of any increased risk; and
• Ongoing monitoring of high-risk Customers' transactions and activities, as and when applicable.

To follow the measures and procedures, the Company established, and states herein below, internal control rules that describe the internal control system including the procedure for the implementation of internal audit and, where necessary, compliance control.

The measure and procedures must contain at least the following:

1. procedure for the application of due diligence measures regarding a customer, including a procedure for the application of enhanced due diligence, and even highly enhanced due diligence in exceptional cases or highly risk ranked customers;
2. a model for identification and management of risks relating to a customer and the determination of the customer's risk profile;
3. the methodology of handling suspicious customers or circumstances involved;
4. instructions for performing the reporting obligation;
5. the procedure for data retention and making data available;
6. instructions for effectively identifying whether a person is a politically exposed person or a local politically exposed person subject to international sanctions (including the Office of Foreign Assets Control (OFAC), His Majesty’s Treasury (HMT) European Union (EU) consolidated lists etc.) or a person whose place of residence or seat is in a high-risk third country or country that meets the criteria;
7. the procedure for identification and management of risks relating to new and existing technologies, and services and products, including new or non-traditional sales channels and new or emerging technologies.

The measure and procedures must be proportionate to the nature, size and level of complexity of the economic and professional activities of the Company and these must be established by the senior management.

The Company regularly checks if the established measure and procedures and the internal control rules are up to date and, where necessary, establish new rules of procedure and internal control rules or make required modifications therein.

The Company ensures that the employees whose employment duties include the establishment of business relationships or the making of transactions are provided with training in the performance of the duties and obligations in accordance to Money Laundering and Terrorist Financing Prevention Act and such training must be provided when the employee commences performance of the specified employment duties, and thereafter regularly or when necessary.

4.3. DYNAMIC RISK MANAGEMENT

Risk management is a continuous process, carried out on a dynamic basis. Risk assessment is not an isolated event of a limited duration. Customers' activities change as well as the services offered by the Company change.

In this respect, it is the duty of the Compliance Officer to undertake regular reviews of the characteristics of existing Customers, new Customers, services and the measures, procedures and controls designed to mitigate any resulting risks from the changes of such characteristics. These reviews shall be duly documented, as applicable.

4.4. RELEVANT INTERNATIONAL ORGANISATIONS

For the development and implementation of appropriate measures and procedures on a risk based approach, and for the implementation of Customer Identification and Due Diligence Procedures, the Compliance Officer and the Administration/Back-Office Department consult data, information and reports, country assessment reports that are published in the following relevant international organisations:

5. CUSTOMER ACCEPTANCE PROCESS

The Customer Acceptance Policy (hereinafter, the “CAP”), following the principles and guidelines described in this AML Policy, defines the criteria for accepting new Customers and defines the Customer categorisation criteria which shall be followed by the Company and especially by the employees involved in the Customer Account Opening process. The General Principles of the CAP are the following:

1. The Company shall classify Customers into various risk categories and based on the risk perception decide on the acceptance criteria for each category of Customer.

2. Where the Customer is a prospective Customer, an account must be approved only after the relevant pre-account opening due diligence and identification measures and procedures have been conducted, according to the principles and procedures set in AML Policy.

3. No account shall be opened in anonymous or fictitious names(s).

The Company maintains clear customer acceptance policies and procedures, including a description of the types of customers that are likely to pose a higher than average risk. Before accepting a potential Customer, KYC and due diligence procedures are followed, by examining factors such as customers’ background, country of origin, public or high profile position, linked accounts, business activities or other risk indicators.

5.1. CRITERIA FOR ACCEPTING NEW CUSTOMERS (BASED ON THEIR RESPECTIVE RISK)

Upon assessment of factors referring to a higher risk, the following is deemed a situation increasing risks related to the customer as a person:

1. the business relationship foundations based on unusual factors, including in the event of complex and unusually large transactions and unusual transaction patterns that do not have a reasonable, clear economic or lawful purpose or that are not characteristic of the given business specifics;

2. the customer is a resident of a higher-risk geographic area listed in subsection 4 of this section;

3. the ownership structure of the Customer’s company appears unusual or excessively complex, given the nature of the company’s business.

Upon assessment of factors referring to a higher risk, in particular the following is deemed a situation increasing risks related to the product, service, transaction or delivery channel:

1. private banking;

2. provision of a product or making or mediating of a transaction that might favour anonymity;

3. payments received from unknown or unassociated third parties;

4. a business relationship or transaction that is established or initiated in a manner whereby the customer, the customer’s representative or party to the transaction is not met physically in the same place;

5. new products and new business practices, including new delivery mechanisms, and the use of new or developing technologies for both new and pre-existing products.

Upon assessment of factors referring to a higher risk, in particular as situation where the customer, a person involved in the transaction or the transaction itself is connected with a following country or jurisdiction is deemed a factor increasing the geographical risk:

1. that, according to credible sources such as mutual evaluations, detailed evaluation reports or published follow-up reports, has not established effective AML systems;

2. that, according to credible sources, has significant levels of corruption or other criminal activity;

3. that is subject to sanctions (including the Office of Foreign Assets Control (OFAC), His Majesty’s Treasury (HMT) European Union (EU) consolidated lists etc.), embargos or similar measures issued by, for example, the European Union or the United Nations;

4. that provides funding or support for terrorist activities, or that has designated terrorist organizations operating within their country, as identified by the European Union or the United Nations.

Upon selection of enhanced due diligence measures the Company takes into account the relevant guidelines of the European supervisory authorities regarding risk factors.

The criteria for accepting new Customers and categorization of Customers based on their risk is being described below. The Compliance Officer shall be responsible for categorizing Customers in one of the following three categories based on the criteria of each category set below:

5.1.1. Low Risk Customers

The Company shall accept Customers who are categorized as low risk Customers as long as the general principles under this Paragraph 5 and the below Paragraph 6 are followed. Due Diligence Procedures for low risk Customers shall be applied, according to Paragraph 6 of this AML Policy, and provided that there is a low risk or no suspicion for money laundering and terrorist financing:

• PEPs' accounts;

• Customers who are residents of countries of the EEA.

• Customers from countries which inadequately apply FATF’s recommendations;

• Any other Customers whose nature entail a higher risk of money laundering or terrorist financing;

• Any other Customer determined by the Company itself to be classified as such.

5.1.2. Medium Risk Customers

These are the Customers who do not fall under the ‘low risk Customers’ or ‘high risk Customers’ categories set in this Paragraph.

The Company shall accept Customers who are categorized as normal risk Customers as long as the general principles under this Paragraph 5 and the below Paragraph 6 are followed. The Company shall apply the Enhanced Customer Identification and Due Diligence measures for normal risk Customers, according to Paragraph 6 of this AML Policy.

5.1.3. High-Risk Customers

The following types of Customers can be classified as High Risk Customers with respect to the Money Laundering and Terrorist Financing risk which the Company faces:

• PEPs’ accounts;

• Customers who are involved in electronic gambling/gaming activities through the internet;

• Customers from countries which inadequately apply FATF’s recommendations;

• Any other Customers whose nature entails a higher risk of money laundering or terrorist financing;

• Any other Customer determined by the Company itself to be classified as such.

The Company shall accept Customers who are categorized as High-Risk Customers as long as the general principles under Paragraphs 5 and 6 of this AML Policy are followed.

Moreover, the Company shall apply the Enhanced Due Diligence measures for high-risk Customers, according to Paragraphs 6 of the AML Policy and the due diligence for the specific types of High-Risk Customers shall be monitored by at least one member of the Governance Body, as applicable.

The Company has in place an internal procedure for KYC required documents for different types of High-Risk Customers, depending on their profile and information recorded, geographical origin, behavior, funds origin, account value, etc.

5.1.4 Legal Entity Customers

In compliance with the Act of 2018, the Company extends its Customer Acceptance Process to include legal entities. Legal entities must provide the following documentation:

• Legal Entity Identification:
  Official documents such as a certificate of incorporation or business registry extract to confirm legal existence, as per Article 13 of the Act.
• Beneficial Ownership:
  Identification of ultimate beneficial owners holding 25% or more of the entity’s shares or voting rights, in line with Article 34 of the Act.
• Authorized Signatories:
  Identification documents for all authorized signatories and proof of their authority (e.g., board resolution or power of attorney), in accordance with Article 13 of the Act.
• Source of Funds and Wealth:
  Verification of the legal entity’s source of funds through documents like bank statements or audited financial statements, as required by Article 34(2) of the Act.
• Risk Assessment:
  Legal entities are categorized based on their risk profile, with high-risk entities subject to enhanced due diligence, including more frequent monitoring, as per Articles 33 and 35 of the Act.

The Company ensures ongoing monitoring and periodic reviews of legal entity customers, in line with Article 43 of the Act, to maintain compliance and mitigate risks of money laundering and terrorist financing.

5.2. NOT ACCEPTABLE CUSTOMERS

The following list predetermines the type of Customers who are not acceptable for establishing a Business Relationship or an execution of an Occasional Transaction with the Company:

● Customers who fail or refuse to submit, the requisite data and information for the verification of his identity, without adequate justification

● Customers from the jurisdictions which are being banned by internal policies from the Company or international legislative sanctions (including the Office of Foreign Assets Control (OFAC), His Majesty’s Treasury (HMT) European Union (EU) consolidated lists etc.);

● Any other that the Company considers risky to its business or suspicious in regards to Money Laundering and Terrorist Financing.

Further, the Company will not accept customers, natural person or legal entities, residing in or incorporated in:

● The United States (certain U.S. states);

● The countries listed among the “High-Risk Jurisdictions subject to a Call for Action” or

“Jurisdictions under Increased Monitoring” by the FATF;

● The countries in which operate in cryptocurrencies is forbidden under the local relative pieces of law and regulations.

6. CUSTOMER DUE DILIGENCE AND IDENTIFICATION PROCEDURES

The Company applies due diligence measures:

1. upon establishment of a business relationship;

2. upon verification of information gathered while applying due diligence measures or in the case of doubts as to the sufficiency or truthfulness of the documents or data gathered earlier while updating the relevant data;

3. upon suspicion of money laundering or terrorist financing, regardless of any derogations, exceptions or limits provided.

Where the Company’s policy requires enhanced due diligence, the due diligence measures must be applied as soon as the condition for enhanced due diligence is known for a particular Customer.

The Company maintains a systematic procedure for identifying new Customers and cannot enter into a service relationship until the identity of a new Customer is satisfactorily verified. The Company may accept the transaction order, however, it will not activate the account completely until the Customer provides all the KYC documents and satisfies the Company.

The Company pays special attention in the case of non-EU resident customers and in no case are short-circuit identity procedures followed just because the new customer is unable to present enough documents and information to satisfy the KYC and due diligence procedures.

As part of its obligation to exercise due diligence in customer identification, the Company must confirm that the identity information which it holds for its customers remains fully updated with all necessary identification and information throughout the business relationship.

The Company maintains clear standards and policies, on what records must be kept for customer identification and individual transactions. Such practice is essential to permit the Company to monitor its relationship with the customer, to understand the customer’s ongoing business and, if necessary, to provide evidence in the event of disputes, legal action, or a financial investigation that could lead to criminal prosecution. To ensure that records remain up-to-date and relevant, the Company undertakes regular reviews of existing records.

The Company reviews and monitors on a regular basis the validity and adequacy of customer identification information in its possession. Notwithstanding the above and taking into account the degree of risk, if it becomes apparent at any time during the business relationship that the Company lacks sufficient or reliable evidence (data) and information on the identity and financial profile of an existing customer, the Company will immediately take all necessary actions using the identification procedures and measures to provide due diligence, in order to collect the missing data and information as quickly as possible and in order to determine the identity and create a comprehensive financial profile of the customer.

An appropriate time to do so is when a transaction of significance takes place, when customer documentation standards change substantially, or when there is a material change in the way that the account is operated, a significant transaction that appears to be unusual and/or a significant change in the situation and legal status of the customer such as:

• Volume of transactions
• Value of transactions
• Nature and source of funds
• Request for opening a new account in order to provide new investment services and/or financial instruments.

However, if the Company becomes aware, at any time, that it lacks sufficient information about an existing customer, immediate steps are taken to ensure that all relevant information is obtained as quickly as possible. In no solution, remediation and/or mitigation has been found then the Company will terminate the Customer’s account, and not continue with his business.

Where the Customer refuses or fails to provide the required documents and information for identification and creation of a financial portrait, during the execution of an individual transaction without adequate justification, the Company will not proceed in a contractual relationship or will not execute the transaction and may also report it to the competent authority. This can lead to a suspicion that the customer is engaged in money laundering and terrorist financing.

If during the business relationship the customer refuses or fails to submit all required documents and information, within a reasonable time, the Company has the right to terminate the business relationship and close the accounts of the Customer. The compliance department also examines whether to report the case to the competent authority.

Customer identification must be carried out as soon as reasonably practicable after first contact is made.

6.1. Identification requirements of a Natural Person

In addition to the aim of preventing Money Laundering and Terrorist Financing, the information mentioned below is also essential for implementing the financial sanctions imposed against various persons by the United Nations and the European Union. In this respect, passport’s number, issuing date and country as well as the Customer’s date of birth always appear on the documents obtained, so that the Company would be in the position to verify precisely whether a Customer is included in the relevant list of persons subject to financial sanctions which are issued by the United Nations or the European Union based on a United Nations Security Council’s Resolution and Regulation or a Common Position of the European Union’s Council respectively.

While identifying the customer, the Company may rely on third parties to collect and check the identity documents of the Customer.

The Company obtains all information necessary to establish to its full satisfaction the identity of each new Customer and the purpose and intended nature of the business relationship. The extent and nature of the information depends on the type of applicant (personal, corporate, etc.) and the expected size of the account. Therefore, the Company has categorized the Customers (natural persons) as follows.

(a) Category 1 (Low-risk Customers). Due Diligence

The Company shall obtain the following information to ascertain the true identity of the natural persons:

• A. First and last name
• B. Citizenship
• C. Personal Identification Number (PESEL) or the date of birth-where no PESEL number has been assigned, and the country of birth
• D. the series and number of a document evidencing the person's identity;
• E. the place of residence-if the obliged institution has this information; and
• F. the business name, the tax identification number (NIP), and the address of the principal place of business-in the case of a natural person conducting economic activity;

In order to verify the Customer’s identity/name the Company shall request the Customer to present an original document which is issued by an independent and reliable source that carries the Customer’s photo (e.g. Passport, National Identity cards, Driving License etc.). After the Company is satisfied with the Customer’s identity from the original identification document presented, it will keep copies.

The Company shall be able to prove that the said document is issued by an independent and reliable source.

In this respect, the Compliance Officer shall be responsible to evaluate the independence and reliability of the source and shall duly document and file the relevant data and information used for the evaluation, as applicable.

Document acceptable and provided by the Customers must be clearly readable and fully visible. If the document has expired, the Customer is required to provide a new one before being able to continue use the services of the Company.

(b) Category 2 (Normal-Risk Customers). Due Diligence

For Customers that fall within this Category, the same Due Diligence is applied, but the Company may request the following additional information:

• A. about the customer identification;
• B. about the planned substance of the business relationship;
• C. about the origin of the funds and wealth of the customer and its beneficial owner;
• D. about the underlying reasons of planned or executed transactions;
• E. any other information in order to assist the Company to decide whether to establish or continue a business relationship;

The Company may also perform the following procedures as part of its independent and internal checks, when comes to a need of an enhanced due diligence:

• A. verification of information additionally submitted upon identification of the person based on additional documents, data or information originating from a credible and independent source;
• B. gathering additional information on the purpose and nature of the business relationship, transaction or operation and verifying the submitted information based on additional documents, data or information that originates from a reliable and independent source;
• C. gathering additional information and documents for the purpose of identifying the source and origin of the funds used in a transaction made in the business relationship in order to rule out the sensibility of the transactions;

(c) Category 3 (High-Risk Customers). Enhanced Customer Due Diligence

For the High-Risk Customers, the Company ensures to gather the documents that are requested from Low and Normal-risk Customers.

Thus, in addition to the documents provided as part of the assessment in Category 1 and 2, the Company may ask additional documents (as applicable) or the received ones to be authenticated by a notary or certified by a notary or officially, or on the basis of other information originating from a credible and independent source, including means of electronic identification and trust services for electronic transactions.

If in doubt for the genuineness of any document (passport, national identity card, or documentary evidence of address), the Company shall seek verification of identity with an Embassy or the Consulate of the issuing country or a reputable credit or financial institution situated in the Customer's country of residence.

Further to the above, the Company shall request, depending on the circumstances and risk profile of the Customer, additional documents and a auto-portrait ('Selfie picture'), video call, proofs of source of funds and supportive documents, notarization KYC documents, and even apostilled documents. All these measures are being used according to the scale of risk being identified internally by the Governance Body.

6.1.1 Identification Requirements for a Legal Entity

The Company applies a structured due diligence process for legal entities, categorized by risk level: low, medium, and high. No business relationship may be established with a legal entity until its identity, ownership structure, and authorized signatories are fully verified. Each risk category requires varying degrees of documentation and verification.

(a) Category 1 (Low-Risk Legal Entities): Due Diligence

For legal entities assessed as low risk, the Company requires standard due diligence measures, which include gathering basic identification documents and verifying essential information.

1. Identification of Legal Entity:
   The Company collects the full legal name, registration number, tax identification number (TIN), registered address, and business address of the entity. Additionally, information about the entity's industry or sector of operation is obtained to assess its nature of business. A copy of the certificate of incorporation or a recent company extract is required to confirm legal standing and jurisdiction.
2. Ownership Structure and Beneficial Owners:
• A. Identification of Beneficial Owners: The Company identifies all individuals holding 25% or more of the entity’s ownership or voting rights.
• B. Ownership Documentation: Relevant documents, such as share certificates or organizational charts, are collected to verify the ownership structure.
3. Authorized Signatories: The Company gathers identification documents (e.g., passport, national ID) for each authorized signatory and proof of their authority, such as a board resolution or power of attorney. Additionally, video identity verification is mandatory to ensure authenticity and to confirm the identity of the authorized signatory.
4. Source of Funds: General information about the entity’s primary revenue sources is collected, typically through recent financial statements or reports on the industry in which it operates. For low-risk entities, this information can be provided through the questionnaire without requiring documentary proof, subject to compliance with the Company’s risk-based approach.
5. Verification of Information: Verification is performed through a reliable, independent source, such as business registry databases or third-party services, to ensure accuracy.

(b) Category 2 (Medium-Risk Legal Entities): Due Diligence

For medium-risk legal entities, additional documentation and more in-depth verification measures are required.

1. Detailed Entity Identification: The Company collects the full legal name, registration number, TIN, registered address, and contact details. Official registration documents, such as the certificate of incorporation, are obtained and verified to confirm the legal standing of the entity.
2. Comprehensive Ownership Structure and Beneficial Owners:
   • A. Identification of Beneficial Owners: The Company identifies all individuals with a 25% or greater ownership stake. For entities with complex ownership structures, intermediary entities and any layered ownership are also documented.
   • B. Verification of Beneficial Owners: The Company collects personal identification documents for beneficial owners holding a significant ownership stake (e.g., 25% or more), supported by corporate ownership records such as organizational charts or shareholder agreements. For other beneficial owners, a risk-based approach may be applied to determine whether additional verification steps are necessary.
3. Authorized Signatories and Key Management:
   • A. Signatory Identification: Identification documents are gathered for each authorized signatory, including a passport or national ID. To ensure authenticity, video identity verification is mandatory for all authorized signatories.
   • B. Authority Documentation: Proof of each signatory’s authority within the entity (e.g., board resolution, power of attorney) is collected, and key executives (such as CEO or CFO) are documented.
   • C. Source of Funds and Wealth: The Company requests documentation on the entity’s source of funds, including recent bank statements from corporate accounts, contracts for major revenue sources, and recent financial statements. Additional documentation may include tax filings or records of substantial assets.
4. Verification and Additional Checks: The Company performs independent verification through reliable sources, including background checks on the directors and beneficial owners, to ensure the information provided is accurate and complete.

(c) Category 3 (High-Risk Legal Entities): Enhanced Due Diligence

For high-risk legal entities, the Company conducts a rigorous due diligence process that includes collecting comprehensive identification and verification documents. This involves obtaining certified copies of registration documents, such as a notarized certificate of incorporation, to confirm legal existence. The ownership structure is scrutinized in detail, with all beneficial owners holding 25% or more identified, and their documents authenticated or notarized to confirm their identities and roles.

Authorized signatories must provide verified identification, along with notarized documentation that confirms their authority within the entity. Key individuals, such as senior management, are also subject to enhanced background checks to identify any connections to high-risk jurisdictions or politically exposed persons. Additionally, thorough verification of the source of funds is conducted, including bank statements, contracts, and audited financials, to ensure that the entity’s funds originate from legitimate sources.

High-risk entities are further subject to independent verification of information through embassy or consulate confirmations if necessary. Apostilled documents may be required, and international databases are used to validate beneficial ownership. For significant or unusual transactions, real-time monitoring is applied, with Compliance Officer approval required before processing. Regular reviews of transactional behavior are conducted to detect any patterns indicative of illicit activity.

6.2. Establishing the Source of Funds as part of Enhanced Due Diligence (EDD)

The Company follows a risk-based approach when establishing Source of Funds (“SOF”).

The risk-based approach is that the Company is on alert to any possibility that the funds may not be from a legitimate source or are not destined for a legitimate purpose. For example, when funds are sourced from a high-risk third country with inadequate AML legislation and regime, it is appropriate to obtain more information before proceeding with any transaction.

For the purpose of ensuring that the source of the funds is legitimate, the Company undertakes the following measures:

• 1. Considers the reliability of the Customer based on the information provided;
• 2. Questions information and/or proof documents of the source of funds that the Customer intends to invest for the use of Services;
• 3. Considers the jurisdiction and the bank rating that those money are being transferred;
• 4. Considers whether the funds are being transferred from an account which is held in name of the Customer or a third party;

Where the funds come from a third party, the risk is greater and further enquiries shall be made by the Company:

• ● about the relationship between the Customer and the ultimate underlying principal of the funds (i.e. the actual provider of the funds)
• ● assessing whether the purpose of the transaction is in line with the documented profile of the Customer.

The Company undertakes to ensure that the source of funds is logical and backed by supporting documentation. See Appendix III for examples of details required when assessing the source of funds, together with suggested documentary evidence.

6.3. Reliance on data gathered by other person (“third party”) and outsourcing of application of due diligence measures

The Company may rely on data and documents gathered by another person (“third party”), where all the following criteria are met:

• 1. the Company gathers at least from that third-party the due diligence information, their representative and the beneficial owner, as well as what is the purpose and nature of the business relationship or transaction;
• 2. the Company has ensured that, where necessary, it is able to immediately obtain all the data and documents whereby it relied on data gathered by another person;
• 3. the Company has established that the third party who is relied on is required to comply and actually complies with requirements equal to those established by Directive (EU) 2015/849 of the European Parliament and of the Council, including requirements for the application of due diligence measures, identification of politically exposed persons and data retention, and is under or is prepared to be under state supervision regarding compliance with the requirements;
• 4. the obliged entity takes sufficient measures to ensure compliance with the criteria provided herein.

The Company may also outsource an activity related to the Customers’ identification to:

• 1. another obliged entity;
• 2. an organisation, association or union whose members are obliged entities, or
• 3. another person who applies the due diligence measures and data retention requirements provided by AML Laws and who is subject to or is prepared to be subject to AML supervision or financial supervision in a contracting state of the European Economic Area regarding compliance with requirements.

To outsource an activity, the obliged entity concludes a written contract which ensures that:

• 1. the outsourcing of the activity does not impede the activities of the Company or performance of the duties and obligations provided in applicable AML Laws;
• 2. the third party performs all the duties of the Company relating to the outsourcing of the activity;
• 3. the outsourcing of the activity does not impede exercising supervision over the Company;
• 4. the competent authority can exercise supervision over the person carrying out the outsourced activity via the Company, including by way of an on-site inspection or another supervisory measure;
• 5. the third party has the required knowledge and skills and the ability to comply with the requirements provided in this AML Policy and the relevant AML Laws;
• 6. the Company has the right to, without limitations, inspect compliance with the requirements provided for in this Act;
• 7. documents and data gathered are retained and, at the request of the Company, copies of documents relating to the identification of a customer and its beneficial owner or copies of other relevant documents are handed over or submitted to the competent authority immediately.

In case of any outsourcing arrangements the Company shall be responsible for compliance with requirements arising from AML Laws.

6.4. Transactions with Politically Exposed People (“PEP”)

When the Customer is a PEP, a family member of a PEP or a person known to be a close associate of a PEP, the Company applies the following due diligence measures in addition to the due diligence measures stipulated above in this AML Policy:

1. have appropriate risk-based procedures to determine whether the Customer (or the Beneficial Owner) is a PEP;

2. have Senior Management approval for establishing Business Relationships with such Customers or for the continuation of the Business Relationships with existing Customers which have become PEPs;

3. take adequate measures to establish the source of wealth and source of funds;

4. categorize the Customer as high-risk and conduct enhanced due diligence and monitoring of the Business Relationship.

Where a PEP no longer performs important public functions placed upon them, the Company must at least within 12 months take into account the risks that remain related to the person and apply relevant and risk sensitivity-based measures as long as it is certain that the risks characteristic of PEPs no longer exist in the case of the person.

6.5. List of Accepted documents

1. Primery Government-Issued Documents with a Photograph

These documents must:

● Include the customer's full name and a recent, clear photograph.

● Incorporate either their residential address or date of birth.

● Be valid (not expired) and tamper-free.

● Contain visible security features, such as holograms, watermarks, or chip technology.

Valid Passport

Secondary Government-Issued Documents with a Photograph

Valid Photocard Driving Licence

• Issued in a standard EU-compliant format.
• Contains:
  • o Full name
  • o Date of birth
  • o Photograph
  • o Issue and expiry dates
  • o Driving licence number
  • o Address (may vary)
• Includes security features such as UV-sensitive ink, holographic seals, and lamination to prevent forgery.

Temporary Residence Permit

• Issued to foreign nationals residing temporarily in Poland or any EU country.
• Contains:
  • o Full name
  • o Date of birth
  • o Photograph
  • o Issue and expiry dates
  • o Document number
  • o Purpose of residence (e.g., work, study, family reunification)
• Includes security features such as holograms, watermarks, microtext, and a machine-readable zone (MRZ).

7. ONGOING MONITORING PROCESS

The Company has established principles for monitoring a business relationship, which include at least the following:

1. Checking of transactions made in a business relationship:
   • o Ensure that the transactions are consistent with the Company’s knowledge of the customer, their activities, and risk profile.
   • o For legal entities, periodically review all transactions to confirm alignment with the expected business activity and declared source of funds.
   • o Employ data analytics and automated systems to detect unusual patterns, such as large or frequent transactions that diverge from typical financial behavior, involve high-risk jurisdictions, or involve unrelated third parties.
2. Regular updating of relevant documents, data, or information gathered in the course of applying due diligence measures:
   • o Schedule regular updates of the legal entity’s documentation, particularly regarding ownership structure, beneficial owners, and authorized signatories. Standard-risk entities undergo annual reviews, while high-risk entities are reviewed bi-annually.
   • o Ensure that any updates to beneficial ownership structures, authorized signatories, or other material changes are documented and verified.
3. Identification of the source and origin of funds used in a transaction:
   • o Verify that funds are from legitimate sources and aligned with the customer’s declared financial profile.
   • o For legal entities, request additional documentation to verify the source of funds for significant or unusual transactions, including contracts, audited financial statements, or bank statements.
4. In economic or professional activities, paying more attention to transactions made in the business relationship:
   • o Monitor activities, customer behavior, and circumstances that may suggest criminal activity, money laundering, or terrorist financing. This includes complex, high-value, and unusual transactions that lack a reasonable or visible economic purpose or that are inconsistent with the customer’s business profile.
   • o For legal entities, conduct real-time monitoring for high-risk entities, flagging irregular transactions for further investigation.
5. In economic or professional activities, paying more attention to the business relationship or transaction when the customer is associated with high-risk jurisdictions:
   • o Monitor transactions involving customers from high-risk third countries or territories or where the customer’s residence, registered office, or the payment service provider’s location is in such jurisdictions.
   • o For legal entities, apply enhanced due diligence measures if new high-risk individuals or entities are identified in the ownership structure.
6. Understanding the nature, reason, and background of transactions and related information:
   • o Identify and document the substance of transactions, paying particular attention to high-risk customers or legal entities whose ownership structure or transaction behavior may indicate heightened risks.
   • o For legal entities, conduct frequent re-assessments of risk profile if there are notable changes, such as new beneficial owners, business lines, or expansion into high-risk jurisdictions. Any significant changes, especially those involving PEPs or high-risk jurisdictions, must receive senior management approval.
7. Documentation of Monitoring Actions and Reporting of Suspicious Activities:
   • o Record all monitoring actions, findings, and risk re-assessments in a secure format, ensuring an audit trail is maintained for future reviews or investigations.
   • o Immediately report unusual activity or discrepancies to the Compliance Officer, who will evaluate if further reporting to the Financial Intelligence Unit (FIU) is required.

8. SUSPICIOUS TRANSACTIONS

8.1. Suspicious Transactions

Where the Company identifies an activity or facts whose characteristics refer to the use of criminal proceeds or terrorist financing or to the commission of related offences or an attempt thereof or with regard to which the obliged entity suspects or knows that it constitutes money laundering or terrorist financing or the commission of related offences (the “suspicious transaction”), the Company will report such case to the Financial Intelligence Unit (“FIU”) immediately, but not later than within two working days.

A suspicious transaction will often be one which is inconsistent with a Customer's known, legitimate business or personal activities or with the normal business of the specific account. The Company shall ensure that it maintains adequate information and knows enough about its Customers' activities in order to recognize on time that a transaction or a series of transactions is unusual or suspicious.

In order to identify suspicious transactions, the Company’s Compliance officer shall perform the following activities:

● monitor on a continuous basis any changes in the Customer’s financial status, business activities, type of transactions etc.

● receive and investigate information from the Company’s employees, on suspicious transactions which creates the belief or suspicion of money laundering. The information is received in electronic form (hereinafter the “Internal Suspicion Report”), a specimen of such report is attached in Appendix 1 of the AML Policy;

● evaluate and check the information received from the employees of the Company, with reference to other available sources of information and the exchanging of information in relation to the specific case with the reporter and, where this is deemed necessary, with the reporter’s supervisors. The information which is contained on the report which is submitted to the Compliance Officer is evaluated and shall be done on a report (hereinafter the “Internal Evaluation Report”), a specimen of such report is attached in Appendix 2 of the AML Policy.

If, as a result of the evaluation described above, the Compliance Officer decides to disclose this information to FIU, then he prepares a report, which he submits to the Unit, according to Section below.

If, as a result of the evaluation described above, the Compliance Officer decides not to disclose the relevant information to the Unit, then he fully explains the reasons for his decision on the Internal Evaluation Report.

8.2. Report to FIU

The Company shall notify FIU of each suspicious transaction, regardless of whether the transaction is made in a single payment or in several linked payments over a period of up to one year and shall assist FIU with any additional information requested and available to the Company.

In case of any such suspicion, the Company may suspend and/or postpone the transaction until the report, as per this paragraph, is made. If such suspension and/or postponement may cause considerable harm, it is not possible to omit the transaction or it may impede catching the person who committed possible money laundering or terrorist financing, the transaction or professional act will be carried out or the services will be provided and a report will be submitted to the FIU thereafter.

The report is submitted via the online form of the FIU.

The Company will not inform the person and its associated third parties about a report submitted on them to the FIU, a plan to submit such a report or the occurrence of reporting as well as about a precept made by the FIU or about the commencement of criminal proceedings. After a precept made by the FIU has been complied with, the Company may inform a person that the FIU has restricted the use of the person’s account or that another restriction has been imposed.

The prohibition of informing is not applied upon submission of information to:

● competent supervisory authorities and law enforcement agencies;

● credit institutions and financial institutions in between themselves where they are part of the same group;

● institutions and branches that are part of the same group where the group applies groupwide procedural rules and principles in accordance with AML Laws;

● a third party who operates in the same legal person or structure as an obliged entity who is a notary, enforcement officer, bankruptcy trustee, auditor, attorney or other legal service provider, provider of accounting services or provider of advisory services in the field of accounting or taxation and whereby the legal person or structure has the same owners and management system where joint compliance is practiced.

The exchange of information regulated in this section must be retained in writing or in a form reproducible in writing for the next five years and information is submitted to the competent supervisory authority at its request.

8.3. Discharge of liability

The Company, its employee, representative and the person who acted on its behalf is not liable for damage caused to a person or customer participating in a transaction in the provision of Services:

● upon performance of duties and obligations arising from AML Laws in good faith, from failing to make the transaction or from failing to make the transaction within the prescribed time limit;

● in connection with the performance of the duty to report in good faith;

● by implementing cooperation and exchange of information and considering the concerns when establishing relationships with shell banks in good faith.

The performance of the duty to report and submission of information by the Company is not deemed breach of the confidentiality requirement arising from law or contract and the statutory or contractual liability for the disclosure of the information is not applied to the person who performed the duty to report. An agreement derogating from this provision is void.

The Company established a system of measures ensuring that its employees and representatives who are involved in the report and submission of information, either within the obliged entity or directly to the FIU, are protected from being exposed to threats or hostile action by other employees, management body members or customers of the obliged entity, in particular from adverse or discriminatory employment actions.

8.4. Transaction suspension

The Company suspends transaction immediately after the respective request is submitted by the FIU or the competent public prosecutor.

9. SANCTIONS SCREENING PROCEDURES

To ensure compliance with applicable international and national sanctions regulations, the Company conducts sanctions screening as an integral part of its Customer Due Diligence (CDD) and ongoing monitoring processes. This screening is facilitated using the ComplyAdvantage service, operated through SUMSUB, our primary KYC and monitoring provider. All customers, transactions, and relevant counterparties are screened against updated sanction lists, including but not limited to those issued by the United Nations, the European Union, the Office of Foreign Assets Control (OFAC), and HMT.

The screening is automated, leveraging real-time updates to identify potential matches. Upon identification of a possible sanctioned individual or entity, a manual review is conducted by the Compliance Officer to confirm the match and assess the need for further action. If a potential match is identified, the Company immediately ceases any ongoing transaction or business relationship with the affected party and submits a report to the Financial Intelligence Unit (FIU) as required by applicable laws and regulations.

To ensure accuracy and effectiveness, the sanctions screening process is reviewed periodically, and employees are trained on its operational aspects and the importance of adhering to sanctions compliance standards. This framework ensures that the Company mitigates risks associated with engaging sanctioned individuals or entities, maintaining compliance with legal obligations and safeguarding its operations.

10. ADVERSE MEDIA SCREENING PROCEDURES

The Company incorporates adverse media screening as part of its comprehensive Customer Due Diligence (CDD) and ongoing monitoring framework to identify potential reputational, regulatory, or financial risks associated with its customers. This screening is performed using the ComplyAdvantage service via SUMSUB, which leverages real-time access to global databases of news articles, reports, and other media sources. The screening process ensures the identification of any negative or adverse information linked to customers, their associates, or related entities, including allegations of financial crimes, corruption, terrorism, or other activities indicative of heightened risk.

Adverse media screening is conducted both at the onboarding stage and as part of the Company's ongoing monitoring to capture new or evolving risks. In cases where adverse media is identified, the Compliance Officer evaluates the findings to determine their credibility, relevance, and impact on the customer's risk profile. Based on the assessment, appropriate measures are taken, which may include enhanced due diligence, escalation to senior management, or termination of the business relationship.

The Company ensures that the adverse media screening process is periodically reviewed and updated to remain effective and aligned with regulatory expectations. Additionally, employees receive training to understand the importance of adverse media screening, ensuring that potential risks are identified and managed proactively to safeguard the Company's operations and reputation.

11. RECORD-KEEPING AND DATA PROTECTION PROCEDURES

The Company has in place mechanisms and secured systems in order to ensure a proper record of the business conducted and services provided to its Customers. The Company registers the following:

• A. transaction date or period and a description of the substance of the transaction.
• B. the monetary value of the transaction, the currency and any significant characteristics, if available;
• C. information on the circumstance of refusal to establish a business relationship or make an occasional transaction (if applicable);
• D. information on the circumstances of termination of a business relationship in connection with the impossibility of application of the due diligence measures;
• E. information serving as the basis for the duty to report the Customer’s transaction as suspicious;

The Company will retain records of the following for no less than 5 (five) years after making the transaction, termination of the business relationship and/or performing the duty to report:

• A. the originals or copies of the documents which serve as the basis for identification and verification of persons;
• B. the document prescribed for the digital identification of a person, any electronic enquiry to the identity documents database, and the audio and video recording of the procedure of identifying the person and verifying the person’s identity, as applicable;
• C. the entire correspondence relating to the performance of the duties and obligations arising from AML Laws;

The Company will retain the above documents and data in a manner that allows for exhaustively and immediately replying to the enquiries of the FIU or, in accordance with legislation, those of other supervisory authorities, investigative bodies or courts, inter alia, regarding whether the obliged entity has or has had in the preceding five years a business relationship with the given person and what is or was the nature of the relationship.

Where the Company makes, for the purpose of identifying a person, an enquiry with a database that is part of the state information system, the record-keeping duties will be deemed performed where information on the making of an electronic enquiry to the register is reproducible over a period of five years after termination of the business relationship or making of the transaction.

11.1. Protection of personal data

The Company implements all rules of protection of personal data upon application of the requirements arising from AML Laws and Data Protection Laws (including and considering the EU General Data Protection Rules).

The Company has in place a Privacy Policy which implements the minimum standards for the safeguarding of data collected and the process of data processing. The Privacy Policy is being properly communicated to the Customers.

Regarding money laundering and terrorist financing, the Company is allowed to process personal data gathered only for the purpose of preventing money laundering and terrorist financing and the data must not be additionally processed in a manner that does not meet the purpose, for instance, for marketing purposes.

The Company submits information concerning the processing of personal data before establishing a business relationship or making an occasional transaction with the Customers. General information on the duties and obligations of the obliged entity upon processing personal data for AML purposes is given among this information.

12. EMPLOYEES’ OBLIGATIONS, EDUCATION AND TRAINING

The Company ensures that the employees whose employment duties include the establishment of business relationships or the making of transactions are provided with training in the performance of the duties and obligations arising from AML Laws and this policy, and such training must be provided when the employee commences performance of the specified employment duties, and thereafter regularly or when necessary.

In training, information, inter alia, on the duties and obligations provided for in the rules of procedure, modern methods of money laundering and terrorist financing and the related risks, the personal data protection requirements, on how to recognize acts related to possible money laundering or terrorist financing, and instructions for acting in such situations must be given.

The Compliance Officer has the duty to make proposals to the management board on organisation of training of the employees and representatives of the Company and must keep a record file of all training activities performed and planned once.

Appendix I. List of examples of appropriate information and/or supporting

documents required to establish the source of funds